cli-transaction: Escape any special characters in the EOL reason

CVE-2023-28101, GHSA-h43h-fwqx-mpp8 Signed-off-by: Simon McVittie <smcv@collabora.com>
flatpak · Mar 16, 2023 · 409e341 · 409e341
1 parent 7fe63f2
commit 409e341
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/app/flatpak-cli-transaction.c b/app/flatpak-cli-transaction.c
@@ -755,6 +755,9 @@ print_eol_info_message (FlatpakDir        *dir,
     }
   else if (reason)
     {
+      g_autofree char *escaped_reason = flatpak_escape_string (reason,
+                                                               FLATPAK_ESCAPE_ALLOW_NEWLINES |
+                                                               FLATPAK_ESCAPE_DO_NOT_QUOTE);
       if (is_pinned)
         {
           /* Only runtimes can be pinned */
@@ -770,7 +773,7 @@ print_eol_info_message (FlatpakDir        *dir,
             g_print (_("\nInfo: app %s%s%s branch %s%s%s is end-of-life, with reason:\n"),
                      on, ref_name, off, on, ref_branch, off);
         }
-      g_print ("   %s\n", reason);
+      g_print ("   %s\n", escaped_reason);
     }
 }