mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-20 05:41:47 +00:00
jubnl
b109c1340a
Three vulnerabilities patched in the /export.ics route: - esc() now handles bare \r and CRLF sequences — the previous regex only matched \n, leaving \r intact and allowing CRLF injection via \r\n - reservation DESCRIPTION field was built from unescaped user data (type, confirmation_number, notes, airline, flight/train numbers, airports) and written raw into ICS output; now passed through esc() - Content-Disposition filename used ICS escaping instead of HTTP header sanitization; replaced with a character allowlist to prevent " and \r\n injection into the response header