From e3e047b24ad021c3b3af25f97eea343893ecc1e3 Mon Sep 17 00:00:00 2001
From: Gina Haeussge <osd@foosel.net>
Date: Fri, 4 Jul 2008 15:41:14 -0400
Subject: Validate action parameter

Make sure the action request parameter only consists of a-z, A-Z, 0-9, _ or -
to discourage tampering with the following require_once.

darcs-hash:20080704194114-2b4f5-2bec30d7d40d7c7bd2c747ef3c805dbf720f6159.gz
---
 index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.php b/index.php
index 53fd1bfe6..514146c78 100644
--- a/index.php
+++ b/index.php
@@ -24,7 +24,7 @@ require_once(INSTALLDIR . "/lib/common.php");
 
 $action = $_REQUEST['action'];
 
-if (!$action) {
+if (!$action || !preg_match('/^[a-zA-Z0-9_-]*$/', $action)) {
 	common_redirect(common_local_url('public'));
 }
 
-- 
cgit v1.2.3-54-g00ecf