aboutsummaryrefslogtreecommitdiffstats
path: root/main/monit/CVE-2019-11454.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/monit/CVE-2019-11454.patch')
-rw-r--r--main/monit/CVE-2019-11454.patch26
1 files changed, 26 insertions, 0 deletions
diff --git a/main/monit/CVE-2019-11454.patch b/main/monit/CVE-2019-11454.patch
new file mode 100644
index 00000000000..bae12581a9f
--- /dev/null
+++ b/main/monit/CVE-2019-11454.patch
@@ -0,0 +1,26 @@
+From 328f60773057641c4b2075fab9820145e95b728c Mon Sep 17 00:00:00 2001
+From: tildeslash <info@tildeslash.com>
+Date: Mon, 4 Mar 2019 14:13:42 +0100
+Subject: [PATCH] Fixed: HTML escape the log file content when viewed via Monit
+ GUI.
+
+---
+ src/http/cervlet.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/http/cervlet.c b/src/http/cervlet.c
+index 9e3cd9c..afba84b 100644
+--- a/src/http/cervlet.c
++++ b/src/http/cervlet.c
+@@ -907,7 +907,7 @@ static void do_viewlog(HttpRequest req, HttpResponse res) {
+ StringBuffer_append(res->outputbuffer, "<br><p><form><textarea cols=120 rows=30 readonly>");
+ while ((n = fread(buf, sizeof(char), sizeof(buf) - 1, f)) > 0) {
+ buf[n] = 0;
+- StringBuffer_append(res->outputbuffer, "%s", buf);
++ escapeHTML(res->outputbuffer, buf);
+ }
+ fclose(f);
+ StringBuffer_append(res->outputbuffer, "</textarea></form>");
+--
+2.10.5
+