From 765fdc61a943d215c68073f81c0d0b3534aa3f46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20R=C3=B6ger?= <jonas.roeger@tu-dortmund.de>
Date: Sun, 13 Oct 2019 19:39:13 +0200
Subject: [PATCH] server.go - reportBug - prevent field injection

---
 internal/server.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/internal/server.go b/internal/server.go
index c5d7878..f37998a 100644
--- a/internal/server.go
+++ b/internal/server.go
@@ -338,6 +338,11 @@ func reportBug(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprint(w, "Invaild Request")
 		return
 	}
+	/* Prevent field injection (assuming no injection in user.Name is possible) */
+	if strings.ContainsRune(subject, '\n') {
+		w.WriteHeader(http.StatusBadRequest)
+		fmt.Fprint(w, "Invaild Request")
+	}
 
 	/* Try to dispatch bugreport */
 	if err = BRDispatchBugreport(&user, subject, content); err != nil {
-- 
GitLab