BF: escape the content of <matches> since its value could contain arb…

…itrary symbols
fail2ban · Oct 9, 2012 · 83109bc · 83109bc
1 parent 6ee2c0a
commit 83109bc
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/server/action.py b/server/action.py
@@ -230,7 +230,14 @@ def getActionStop(self):
 	def execActionStop(self):
 		stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
 		return Action.executeCmd(stopCmd)
-
+
+	def escapeTag(tag):
+		for c in '\\#&;`|*?~<>^()[]{}$\n':
+			if c in tag:
+				tag = tag.replace(c, '\\' + c)
+		return tag
+	escapeTag = staticmethod(escapeTag)
+
 	##
 	# Replaces tags in query with property values in aInfo.
 	#
@@ -243,8 +250,13 @@ def replaceTag(query, aInfo):
 		""" Replace tags in query
 		"""
 		string = query
-		for tag in aInfo:
-			string = string.replace('<' + tag + '>', str(aInfo[tag]))
+		for tag, value in aInfo.iteritems():
+			value = str(value)			  # assure string
+			if tag == 'matches':
+				# That one needs to be escaped since its content is
+				# out of our control
+				value = escapeTag(value)
+			string = string.replace('<' + tag + '>', value)
 		# New line
 		string = string.replace("<br>", '\n')
 		return string