Message ID | 20171016203604.5789-1-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
On Mon, Oct 16, 2017 at 10:36:04PM +0200, Michael Niedermayer wrote: > Prevents cross site scripting attack > > Found-by: Pankaj Jadhav <pankajj736@gmail.com> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > index.cgi | 2 ++ > 1 file changed, 2 insertions(+) patch applied [...]
diff --git a/index.cgi b/index.cgi index 030fb52..a164d3b 100755 --- a/index.cgi +++ b/index.cgi @@ -32,6 +32,8 @@ use URI::Escape; my @queries = split(/\/\//, uri_unescape param 'query') if (param 'query'); my $sort = param('sort'); +$sort =~ s/[^A-Za-z0-9 ]*//g; +param('sort', $sort); $sort = $sort eq 'arch' ? 'subarch': $sort; (my $uri = $ENV{REQUEST_URI}) =~ s/\?.*//;
Prevents cross site scripting attack Found-by: Pankaj Jadhav <pankajj736@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- index.cgi | 2 ++ 1 file changed, 2 insertions(+)