From cf9ea6f82dd8668573a2f1ed24eb467c9d69f611 Mon Sep 17 00:00:00 2001 From: gregod Date: Mon, 18 Jan 2021 08:21:30 +0000 Subject: [PATCH] Sanitize user-agent in wrong_login message (#45251) --- homeassistant/components/http/ban.py | 12 +++++++----- tests/components/http/test_ban.py | 4 ++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/homeassistant/components/http/ban.py b/homeassistant/components/http/ban.py index 14d81a1eb6e..2e51dc35d88 100644 --- a/homeassistant/components/http/ban.py +++ b/homeassistant/components/http/ban.py @@ -105,16 +105,18 @@ async def process_wrong_login(request): except herror: pass - msg = f"Login attempt or request with invalid authentication from {remote_host} ({remote_addr})" + base_msg = f"Login attempt or request with invalid authentication from {remote_host} ({remote_addr})." + # The user-agent is unsanitized input so we only include it in the log user_agent = request.headers.get("user-agent") - if user_agent: - msg = f"{msg} ({user_agent})" + log_msg = f"{base_msg} ({user_agent})" - _LOGGER.warning(msg) + notification_msg = f"{base_msg} See the log for details." + + _LOGGER.warning(log_msg) hass.components.persistent_notification.async_create( - msg, "Login attempt failed", NOTIFICATION_ID_LOGIN + notification_msg, "Login attempt failed", NOTIFICATION_ID_LOGIN ) # Check if ban middleware is loaded diff --git a/tests/components/http/test_ban.py b/tests/components/http/test_ban.py index 76f5f94a2ed..717bd9564c0 100644 --- a/tests/components/http/test_ban.py +++ b/tests/components/http/test_ban.py @@ -174,8 +174,8 @@ async def test_ip_bans_file_creation(hass, aiohttp_client): assert len(notification_calls) == 3 assert ( - "Login attempt or request with invalid authentication from example.com (200.201.202.204) (Python" - in notification_calls[0].data["message"] + notification_calls[0].data["message"] + == "Login attempt or request with invalid authentication from example.com (200.201.202.204). See the log for details." )