diff options
| author | Simon Rettberg | 2025-03-31 11:35:48 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2025-03-31 11:35:48 +0200 |
| commit | 1e74ff69b934da02751b334e548dec88630de9d4 (patch) | |
| tree | 8575c08dad8e58f6d6589fe31be891050756003c | |
| parent | [inc/Message] Output plain text in API mode (diff) | |
| download | slx-admin-1e74ff69b934da02751b334e548dec88630de9d4.tar.gz slx-admin-1e74ff69b934da02751b334e548dec88630de9d4.tar.xz slx-admin-1e74ff69b934da02751b334e548dec88630de9d4.zip | |
[syslog] Sanitize input
| -rw-r--r-- | modules-available/syslog/api.inc.php | 9 | ||||
| -rw-r--r-- | modules-available/syslog/inc/clientlog.inc.php | 9 |
2 files changed, 11 insertions, 7 deletions
diff --git a/modules-available/syslog/api.inc.php b/modules-available/syslog/api.inc.php index cc64b31c..d2fa4a85 100644 --- a/modules-available/syslog/api.inc.php +++ b/modules-available/syslog/api.inc.php @@ -39,8 +39,7 @@ if (($user = Request::post('export-user', false, 'string')) !== false) { die("# End log\n"); } -if (empty($_POST['type'])) die('Missing options.'); -$type = mb_strtolower($_POST['type']); +$type = Request::post('type', Request::REQUIRED, 'string'); $ip = $_SERVER['REMOTE_ADDR']; if (substr($ip, 0, 7) === '::ffff:') $ip = substr($ip, 7); @@ -57,11 +56,7 @@ if (strlen($uuid) !== 36) { * Normal logging */ -if (!isset($_POST['description'])) die('Missing options..'); - -$description = $_POST['description']; -$longdesc = ''; -if (isset($_POST['longdesc'])) $longdesc = $_POST['longdesc']; +$description = Request::post('description', Request::REQUIRED, 'string'); $longdesc = Request::post('longdesc', '', 'string'); if (preg_match('/^[a-z0-9\-]+$/', $type)) { diff --git a/modules-available/syslog/inc/clientlog.inc.php b/modules-available/syslog/inc/clientlog.inc.php index b38c29fe..5b34f87e 100644 --- a/modules-available/syslog/inc/clientlog.inc.php +++ b/modules-available/syslog/inc/clientlog.inc.php @@ -27,6 +27,15 @@ class ClientLog } $client['clientip'] = $res['clientip']; } + if (mb_strlen($description) > 255) { + $description = mb_substr($description, 0, 255); + } + if (mb_strlen($longDesc) > 65535) { + $longDesc = mb_substr($longDesc, 0, 65535); + } + if (mb_strlen($type) > 30) { + $type = mb_substr($type, 0, 30); + } $data = [ 'type' => $type, 'clientip' => $client['clientip'], |