- strip terminal control chars, except new lines from build logs (CVE-2012-1095)

2024-11-10 06:46:15 +01:00 · 2012-03-05 10:44:09 +01:00 · 2012-03-05 10:44:09 +01:00 · effe3835ba
commit effe3835ba
parent 1000c26c6f
1 changed files with 7 additions and 1 deletions
--- a/osc/core.py
+++ b/osc/core.py
@ -5039,6 +5039,12 @@ def streamfile(url, http_meth = http_GET, bufsize=8192, data=None, progress_obj=

 def print_buildlog(apiurl, prj, package, repository, arch, offset = 0):
    """prints out the buildlog on stdout"""
+
+    # to protect us against control characters
+    import string
+    all_bytes = string.maketrans('', '')
+    remove_bytes = all_bytes[:10] + all_bytes[11:32] # accept newlines
+
    query = {'nostream' : '1', 'start' : '%s' % offset}
    while True:
        query['start'] = offset
@ -5046,7 +5052,7 @@ def print_buildlog(apiurl, prj, package, repository, arch, offset = 0):
        u = makeurl(apiurl, ['build', prj, repository, arch, package, '_log'], query=query)
        for data in streamfile(u):
            offset += len(data)
-            sys.stdout.write(data)
+            sys.stdout.write(data.translate(all_bytes, remove_bytes))
        if start_offset == offset:
            break