cli-transaction: Escape any special characters in the EOL reason

CVE-2023-28101, GHSA-h43h-fwqx-mpp8 Signed-off-by: Simon McVittie <smcv@collabora.com>
2026-05-16 20:56:52 -04:00 · 2023-03-15 10:51:16 +00:00
parent 7fe63f2e8f
commit 409e34187d
1 changed files with 4 additions and 1 deletions
--- a/app/flatpak-cli-transaction.c
+++ b/app/flatpak-cli-transaction.c
@@ -755,6 +755,9 @@ print_eol_info_message (FlatpakDir        *dir,
    }
  else if (reason)
    {
+      g_autofree char *escaped_reason = flatpak_escape_string (reason,
+                                                               FLATPAK_ESCAPE_ALLOW_NEWLINES |
+                                                               FLATPAK_ESCAPE_DO_NOT_QUOTE);
      if (is_pinned)
        {
          /* Only runtimes can be pinned */
@@ -770,7 +773,7 @@ print_eol_info_message (FlatpakDir        *dir,
            g_print (_("\nInfo: app %s%s%s branch %s%s%s is end-of-life, with reason:\n"),
                     on, ref_name, off, on, ref_branch, off);
        }
-      g_print ("   %s\n", reason);
+      g_print ("   %s\n", escaped_reason);
    }
 }