print_buildlog: Remove control characters from build log before printing (CVE-2012-1095)

2025-08-30 01:44:11 +02:00 · 2023-08-14 14:14:18 +02:00
parent 57a4cdc6a4
commit d857e5dbf8
1 changed files with 4 additions and 1 deletions
--- a/osc/core.py
+++ b/osc/core.py
@@ -6955,8 +6955,11 @@ def print_buildlog(
    def print_data(data, strip_time=False):
        if strip_time:
            data = buildlog_strip_time(data)
-        output_buffer.write(data)
+        output_buffer.write(data.translate(all_bytes, remove_bytes))

+    # to protect us against control characters (CVE-2012-1095)
+    all_bytes = bytes.maketrans(b'', b'')
+    remove_bytes = all_bytes[:8] + all_bytes[14:32]  # accept tabs and newlines
    query = {'nostream': '1', 'start': '%s' % offset}
    if last:
        query['last'] = 1