GHSA-ghmw-rwh8-6qmr

### Summary A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`.

### Details `pyload` will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the form of `Login failed for user 'USERNAME'`. However, when supplied with a username containing a newline, this newline is not properly escaped. Newlines are also the delimiter between log entries. This allows the attacker to inject new log entries into the log file.

### PoC Run `pyload` in the default configuration by running the following command ``` pyload ```

We can now sign in as the pyload user and view the logs at `http://localhost:8000/logs`. 

Any unauthenticated attacker can now make the following request to inject arbitrary logs.

``` curl 'http://localhost:8000/login?next=http://localhost:8000/' -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data-raw $'do=login&username=wrong\'%0a[2024-01-05 02:49:19] HACKER PinkDraconian THIS ENTRY HAS BEEN INJECTED&password=wrong&submit=Login' ```

If we now were to look at the logs again, we see that the entry has successfully been injected. 

### Impact Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act.