mirror of
https://github.com/Froxlor/Froxlor.git
synced 2024-09-21 02:17:34 +00:00
Merge pull request from GHSA-x525-54hf-xr53
* do not log unvalidated user-input to mysql-log (if enabled) Signed-off-by: Michael Kaufmann <d00p@froxlor.org> * clean log-text to only allow a subset of special characters Signed-off-by: Michael Kaufmann <d00p@froxlor.org> * clean log-text when selecting from database to avoid possible previously added malicious entries Signed-off-by: Michael Kaufmann <d00p@froxlor.org> --------- Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
GitHub
parent
7f8b36e0bd
commit
1b44ee2e06
@ -272,7 +272,7 @@ if ($action == '2fa_entercode') {
|
||||
$rstlog = FroxlorLogger::getInstanceOf([
|
||||
'loginname' => $_SERVER['REMOTE_ADDR']
|
||||
]);
|
||||
$rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "Unknown user '" . $loginname . "' tried to login.");
|
||||
$rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "Unknown user tried to login.");
|
||||
|
||||
Response::redirectTo('index.php', [
|
||||
'showmessage' => '2'
|
||||
@ -334,7 +334,7 @@ if ($action == '2fa_entercode') {
|
||||
$rstlog = FroxlorLogger::getInstanceOf([
|
||||
'loginname' => $_SERVER['REMOTE_ADDR']
|
||||
]);
|
||||
$rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "User '" . $loginname . "' tried to login with wrong password.");
|
||||
$rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "User tried to login with wrong password.");
|
||||
|
||||
unset($userinfo);
|
||||
Response::redirectTo('index.php', [
|
||||
@ -653,7 +653,7 @@ if ($action == 'forgotpwd') {
|
||||
$rstlog = FroxlorLogger::getInstanceOf([
|
||||
'loginname' => 'password_reset'
|
||||
]);
|
||||
$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
|
||||
$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "Unknown user requested to set a new password, but was not found in database!");
|
||||
$message = lng('login.usernotfound');
|
||||
}
|
||||
|
||||
|
||||
@ -90,6 +90,8 @@ class SysLog extends ApiCommand implements ResourceEntity
|
||||
}
|
||||
Database::pexecute($result_stmt, $query_fields, true, true);
|
||||
while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
|
||||
// clean log-text
|
||||
$row['text'] = preg_replace("/[^\w @#\"':.()\[\]+\-_\/\\\!]/i", "_", $row['text']);
|
||||
$result[] = $row;
|
||||
}
|
||||
$this->logger()->logAction($this->isAdmin() ? FroxlorLogger::ADM_ACTION : FroxlorLogger::USR_ACTION, LOG_INFO, "[API] list log-entries");
|
||||
|
||||
@ -175,6 +175,9 @@ class FroxlorLogger
|
||||
$this->initMonolog();
|
||||
}
|
||||
|
||||
// clean log-text
|
||||
$text = preg_replace("/[^\w @#\"':.()\[\]+\-_\/\\\!]/i", "_", $text);
|
||||
|
||||
if (self::$crondebug_flag || ($action == FroxlorLogger::CRON_ACTION && $type <= LOG_WARNING)) {
|
||||
echo "[" . $this->getLogLevelDesc($type) . "] " . $text . PHP_EOL;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user