[FFmpeg-devel] fateserver/index: clean chars in sort parameter

Submitted by Michael Niedermayer on Oct. 16, 2017, 8:36 p.m.

Details

Message ID 20171016203604.5789-1-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer Oct. 16, 2017, 8:36 p.m.
Prevents cross site scripting attack

Found-by: Pankaj Jadhav <pankajj736@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 index.cgi | 2 ++
 1 file changed, 2 insertions(+)

Comments

Michael Niedermayer Nov. 16, 2017, 11:35 a.m.
On Mon, Oct 16, 2017 at 10:36:04PM +0200, Michael Niedermayer wrote:
> Prevents cross site scripting attack
> 
> Found-by: Pankaj Jadhav <pankajj736@gmail.com>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  index.cgi | 2 ++
>  1 file changed, 2 insertions(+)

patch applied

[...]

Patch hide | download patch | download mbox

diff --git a/index.cgi b/index.cgi
index 030fb52..a164d3b 100755
--- a/index.cgi
+++ b/index.cgi
@@ -32,6 +32,8 @@  use URI::Escape;
 my @queries = split(/\/\//, uri_unescape param 'query') if (param 'query');
 
 my $sort = param('sort');
+$sort =~ s/[^A-Za-z0-9 ]*//g;
+param('sort', $sort);
 $sort    = $sort eq 'arch' ? 'subarch': $sort;
 
 (my $uri = $ENV{REQUEST_URI}) =~ s/\?.*//;