Filter out invalid log file name requests. JM-1506

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10937 b35dd754-fafc-0310-a699-88a17e54d16e

Filter out invalid log file name requests. JM-1506
git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10937 b35dd754-fafc-0310-a699-88a17e54d16e
443ef34e · Matt Tucker · matt · 35355cdf · 443ef34e
Commit 443ef34e authored Dec 11, 2008 by Matt Tucker Committed by matt Dec 11, 2008
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 3 deletions

log.jsp src/web/log.jsp +5 -3

No files found.
--- a/src/web/log.jsp
+++ b/src/web/log.jsp
@@ -76,6 +76,11 @@
    int numLines = ParamUtils.getIntParameter(request,"lines",50);
    String mode = ParamUtils.getParameter(request,"mode");

+    // Only allow requests for valid log file names.
+    if (!("debug".equals(log) || "warn".equals(log) || "info".equals(log) || "error".equals(log))) {
+        log = null;
+    }
+
    // Set defaults
    if (log == null) {
        log = "error";
@@ -87,9 +92,6 @@
        numLinesParam = "50";
    }

-    // Santize variables to prevent vulnerabilities
-    log = StringUtils.escapeHTMLTags(log);
-
    // Other vars
    File logDir = new File(Log.getLogDirectory());
    String filename = log + ".log";