[SECURITY] Patch for GHSA-2v67-4x3c-889g (BACKPORT)

reactive-firewall · reactive-firewall · commit ea59b6e10401 · 2024-10-02T00:57:54.000-07:00
Version v1.5.1
diff --git a/multicast/hear.py b/multicast/hear.py
@@ -329,25 +329,26 @@ class HearUDPHandler(socketserver.BaseRequestHandler):
 	def handle(self):
 		data = self.request[0].strip()
 		socket = self.request[1]
+		safe_data = str(data).replace('\r', '').replace('%', '%%')
 		print(str("{} SAYS: {} to {}").format(
-			self.client_address[0], str(data), "ALL"
+			self.client_address[0], safe_data, "ALL"
 		))
 		if data is not None:
 			myID = str(socket.getsockname()[0])
 			print(
 				str("{me} HEAR: [{you} SAID {what}]").format(
-					me=myID, you=self.client_address, what=str(data)
+					me=myID, you=self.client_address, what=safe_data
 				)
 			)
 			print(
 				str("{me} SAYS [ HEAR [ {what} SAID {you} ] from {me} ]").format(
-					me=myID, you=self.client_address, what=str(data)
+					me=myID, you=self.client_address, what=safe_data
 				)
 			)
 			send.McastSAY()._sayStep(  # skipcq: PYL-W0212 - module ok
 				self.client_address[0], self.client_address[1],
 				str("HEAR [ {what} SAID {you} ] from {me}").format(
-					me=myID, you=self.client_address, what=data.upper()
+					me=myID, you=self.client_address, what=safe_data.upper()
 				)
 			)
 			if """STOP""" in str(data):

Original file line number	Diff line number	Diff line change
`@@ -329,25 +329,26 @@ class HearUDPHandler(socketserver.BaseRequestHandler):`
`329`	`329`	`def handle(self):`
`330`	`330`	`data = self.request[0].strip()`
`331`	`331`	`socket = self.request[1]`
	`332`	`+ safe_data = str(data).replace('\r', '').replace('%', '%%')`
`332`	`333`	`print(str("{} SAYS: {} to {}").format(`
`333`		`- self.client_address[0], str(data), "ALL"`
	`334`	`+ self.client_address[0], safe_data, "ALL"`
`334`	`335`	`))`
`335`	`336`	`if data is not None:`
`336`	`337`	`myID = str(socket.getsockname()[0])`
`337`	`338`	`print(`
`338`	`339`	`str("{me} HEAR: [{you} SAID {what}]").format(`
`339`		`- me=myID, you=self.client_address, what=str(data)`
	`340`	`+ me=myID, you=self.client_address, what=safe_data`
`340`	`341`	`)`
`341`	`342`	`)`
`342`	`343`	`print(`
`343`	`344`	`str("{me} SAYS [ HEAR [ {what} SAID {you} ] from {me} ]").format(`
`344`		`- me=myID, you=self.client_address, what=str(data)`
	`345`	`+ me=myID, you=self.client_address, what=safe_data`
`345`	`346`	`)`
`346`	`347`	`)`
`347`	`348`	`send.McastSAY()._sayStep( # skipcq: PYL-W0212 - module ok`
`348`	`349`	`self.client_address[0], self.client_address[1],`
`349`	`350`	`str("HEAR [ {what} SAID {you} ] from {me}").format(`
`350`		`- me=myID, you=self.client_address, what=data.upper()`
	`351`	`+ me=myID, you=self.client_address, what=safe_data.upper()`
`351`	`352`	`)`
`352`	`353`	`)`
`353`	`354`	`if """STOP""" in str(data):`