From e3e047b24ad021c3b3af25f97eea343893ecc1e3 Mon Sep 17 00:00:00 2001 From: Gina Haeussge Date: Fri, 4 Jul 2008 15:41:14 -0400 Subject: Validate action parameter Make sure the action request parameter only consists of a-z, A-Z, 0-9, _ or - to discourage tampering with the following require_once. darcs-hash:20080704194114-2b4f5-2bec30d7d40d7c7bd2c747ef3c805dbf720f6159.gz --- index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'index.php') diff --git a/index.php b/index.php index 53fd1bfe6..514146c78 100644 --- a/index.php +++ b/index.php @@ -24,7 +24,7 @@ require_once(INSTALLDIR . "/lib/common.php"); $action = $_REQUEST['action']; -if (!$action) { +if (!$action || !preg_match('/^[a-zA-Z0-9_-]*$/', $action)) { common_redirect(common_local_url('public')); } -- cgit v1.2.3-54-g00ecf