Sanitize user-agent in wrong_login message (#45251)

2021-01-18 08:21:30 +00:00 · 2021-01-18 08:21:30 +00:00 · cf9ea6f82d
commit cf9ea6f82d
parent b2f914823d
2 changed files with 9 additions and 7 deletions
--- a/homeassistant/components/http/ban.py
+++ b/homeassistant/components/http/ban.py
@ -105,16 +105,18 @@ async def process_wrong_login(request):
    except herror:
        pass

-    msg = f"Login attempt or request with invalid authentication from {remote_host} ({remote_addr})"
+    base_msg = f"Login attempt or request with invalid authentication from {remote_host} ({remote_addr})."

+    # The user-agent is unsanitized input so we only include it in the log
    user_agent = request.headers.get("user-agent")
-    if user_agent:
-        msg = f"{msg} ({user_agent})"
+    log_msg = f"{base_msg} ({user_agent})"

-    _LOGGER.warning(msg)
+    notification_msg = f"{base_msg} See the log for details."
+
+    _LOGGER.warning(log_msg)

    hass.components.persistent_notification.async_create(
-        msg, "Login attempt failed", NOTIFICATION_ID_LOGIN
+        notification_msg, "Login attempt failed", NOTIFICATION_ID_LOGIN
    )

    # Check if ban middleware is loaded
--- a/tests/components/http/test_ban.py
+++ b/tests/components/http/test_ban.py
@ -174,8 +174,8 @@ async def test_ip_bans_file_creation(hass, aiohttp_client):

        assert len(notification_calls) == 3
        assert (
-            "Login attempt or request with invalid authentication from example.com (200.201.202.204) (Python"
-            in notification_calls[0].data["message"]
+            notification_calls[0].data["message"]
+            == "Login attempt or request with invalid authentication from example.com (200.201.202.204). See the log for details."
        )