github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

BF: escape the content of <matches> since its value could contain arbitrary symbols

pull/68/merge
Yaroslav Halchenko 2012-10-08 22:14:51 -04:00
parent 6ee2c0a014
commit 83109bce14
1 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
server/action.py
View File

@ -230,7 +230,14 @@ class Action:
def execActionStop(self): def execActionStop(self):
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
return Action.executeCmd(stopCmd) return Action.executeCmd(stopCmd)
def escapeTag(tag):
for c in '\\#&;`|*?~<>^()[]{}$\n':
if c in tag:
tag = tag.replace(c, '\\' + c)
return tag
escapeTag = staticmethod(escapeTag)
## ##
# Replaces tags in query with property values in aInfo. # Replaces tags in query with property values in aInfo.
# #
@ -243,8 +250,13 @@ class Action:
""" Replace tags in query """ Replace tags in query
""" """
string = query string = query
for tag in aInfo: for tag, value in aInfo.iteritems():
string = string.replace('<' + tag + '>', str(aInfo[tag])) value = str(value) # assure string
if tag == 'matches':
# That one needs to be escaped since its content is
# out of our control
value = escapeTag(value)
string = string.replace('<' + tag + '>', value)
# New line # New line
string = string.replace("<br>", '\n') string = string.replace("<br>", '\n')
return string return string