diff options
Diffstat (limited to 'main/monit/CVE-2019-11454.patch')
-rw-r--r-- | main/monit/CVE-2019-11454.patch | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/main/monit/CVE-2019-11454.patch b/main/monit/CVE-2019-11454.patch new file mode 100644 index 00000000000..bae12581a9f --- /dev/null +++ b/main/monit/CVE-2019-11454.patch @@ -0,0 +1,26 @@ +From 328f60773057641c4b2075fab9820145e95b728c Mon Sep 17 00:00:00 2001 +From: tildeslash <info@tildeslash.com> +Date: Mon, 4 Mar 2019 14:13:42 +0100 +Subject: [PATCH] Fixed: HTML escape the log file content when viewed via Monit + GUI. + +--- + src/http/cervlet.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/http/cervlet.c b/src/http/cervlet.c +index 9e3cd9c..afba84b 100644 +--- a/src/http/cervlet.c ++++ b/src/http/cervlet.c +@@ -907,7 +907,7 @@ static void do_viewlog(HttpRequest req, HttpResponse res) { + StringBuffer_append(res->outputbuffer, "<br><p><form><textarea cols=120 rows=30 readonly>"); + while ((n = fread(buf, sizeof(char), sizeof(buf) - 1, f)) > 0) { + buf[n] = 0; +- StringBuffer_append(res->outputbuffer, "%s", buf); ++ escapeHTML(res->outputbuffer, buf); + } + fclose(f); + StringBuffer_append(res->outputbuffer, "</textarea></form>"); +-- +2.10.5 + |