From 409e34187de2b2b2c4ef34c79f417be698830f6c Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 15 Mar 2023 10:51:16 +0000
Subject: cli-transaction: Escape any special characters in the EOL reason

CVE-2023-28101, GHSA-h43h-fwqx-mpp8

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 app/flatpak-cli-transaction.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'app')

diff --git a/app/flatpak-cli-transaction.c b/app/flatpak-cli-transaction.c
index 53593bfc..829f44b2 100644
--- a/app/flatpak-cli-transaction.c
+++ b/app/flatpak-cli-transaction.c
@@ -755,6 +755,9 @@ print_eol_info_message (FlatpakDir        *dir,
     }
   else if (reason)
     {
+      g_autofree char *escaped_reason = flatpak_escape_string (reason,
+                                                               FLATPAK_ESCAPE_ALLOW_NEWLINES |
+                                                               FLATPAK_ESCAPE_DO_NOT_QUOTE);
       if (is_pinned)
         {
           /* Only runtimes can be pinned */
@@ -770,7 +773,7 @@ print_eol_info_message (FlatpakDir        *dir,
             g_print (_("\nInfo: app %s%s%s branch %s%s%s is end-of-life, with reason:\n"),
                      on, ref_name, off, on, ref_branch, off);
         }
-      g_print ("   %s\n", reason);
+      g_print ("   %s\n", escaped_reason);
     }
 }
 
-- 
cgit v1.2.1