| Message ID | 20171017161213.6748-1-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
On Tue, Oct 17, 2017 at 06:12:13PM +0200, Michael Niedermayer wrote: > Fixes: Directory Traversal > > Found-by: Pankaj Jadhav <pankajj736@gmail.com> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > log.cgi | 4 ++++ > 1 file changed, 4 insertions(+) patch applied [...]
diff --git a/log.cgi b/log.cgi index d5d2abb..8767e3a 100755 --- a/log.cgi +++ b/log.cgi @@ -22,7 +22,11 @@ use FATE; my $req_slot = param 'slot'; my $req_time = param 'time'; +$req_slot =~ s/[^-._A-Za-z0-9 ]*//g; +$req_time =~ s/[^0-9]*//g; my ($req_log, $req_diff) = param('log') =~ m!([^/]+)(?:/([^/]+))?!; +$req_log =~ s/[^a-z]*//g; +$req_diff =~ s/[^0-9]*//g; my $repdir = "$fatedir/$req_slot/$req_time"; my $log = "$repdir/$req_log.log.gz";
Fixes: Directory Traversal Found-by: Pankaj Jadhav <pankajj736@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- log.cgi | 4 ++++ 1 file changed, 4 insertions(+)