From 4b549144d82ea0f368321d149215f577049fffa6 Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sun, 15 Sep 2013 22:26:56 -0400
Subject: Verify validity of session name when received from outside

Only ASCII letters and digits are allowed.
---
 src/shared/replace-var.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/shared/replace-var.c')

diff --git a/src/shared/replace-var.c b/src/shared/replace-var.c
index e11c57a43d..478fc43a38 100644
--- a/src/shared/replace-var.c
+++ b/src/shared/replace-var.c
@@ -24,6 +24,7 @@
 #include "macro.h"
 #include "util.h"
 #include "replace-var.h"
+#include "def.h"
 
 /*
  * Generic infrastructure for replacing @FOO@ style variables in
@@ -40,7 +41,7 @@ static int get_variable(const char *b, char **r) {
         if (*b != '@')
                 return 0;
 
-        k = strspn(b + 1, "ABCDEFGHIJKLMNOPQRSTUVWXYZ_");
+        k = strspn(b + 1, UPPERCASE_LETTERS "_");
         if (k <= 0 || b[k+1] != '@')
                 return 0;
 
-- 
cgit v1.2.3-54-g00ecf