From a7bfbd93812950b7444841431e8e297e62cb524e Mon Sep 17 00:00:00 2001
From: Alexey Sokolov <alexey+znc@asokolov.org>
Date: Fri, 13 Jul 2018 23:26:44 +0100
Subject: [PATCH] Don't let attackers inject rogue values into znc.conf

Because of this vulnerability, existing ZNC users could get Admin
permissions.

Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
---
 src/Config.cpp | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Config.cpp b/src/Config.cpp
index 2543d6ee..0730b894 100644
--- a/src/Config.cpp
+++ b/src/Config.cpp
@@ -174,9 +174,14 @@ bool CConfig::Parse(CFile& file, CString& sErrorMsg) {
 void CConfig::Write(CFile& File, unsigned int iIndentation) {
     CString sIndentation = CString(iIndentation, '\t');
 
+    auto SingleLine = [](const CString& s) {
+        return s.Replace_n("\r", "").Replace_n("\n", "");
+    };
+
     for (const auto& it : m_ConfigEntries) {
         for (const CString& sValue : it.second) {
-            File.Write(sIndentation + it.first + " = " + sValue + "\n");
+            File.Write(SingleLine(sIndentation + it.first + " = " + sValue) +
+                       "\n");
         }
     }
 
@@ -184,9 +189,11 @@ void CConfig::Write(CFile& File, unsigned int iIndentation) {
         for (const auto& it2 : it.second) {
             File.Write("\n");
 
-            File.Write(sIndentation + "<" + it.first + " " + it2.first + ">\n");
+            File.Write(SingleLine(sIndentation + "<" + it.first + " " +
+                                  it2.first + ">") +
+                       "\n");
             it2.second.m_pSubConfig->Write(File, iIndentation + 1);
-            File.Write(sIndentation + "</" + it.first + ">\n");
+            File.Write(SingleLine(sIndentation + "</" + it.first + ">") + "\n");
         }
     }
 }