fateserver/index: clean chars in sort parameter
authorMichael Niedermayer <michael@niedermayer.cc>
Mon, 16 Oct 2017 20:00:11 +0000 (22:00 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 16 Oct 2017 20:35:31 +0000 (22:35 +0200)
Prevents cross site scripting attack

Found-by: Pankaj Jadhav <pankajj736@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
index.cgi

index 030fb52..a164d3b 100755 (executable)
--- a/index.cgi
+++ b/index.cgi
@@ -32,6 +32,8 @@ use URI::Escape;
 my @queries = split(/\/\//, uri_unescape param 'query') if (param 'query');
 
 my $sort = param('sort');
+$sort =~ s/[^A-Za-z0-9 ]*//g;
+param('sort', $sort);
 $sort    = $sort eq 'arch' ? 'subarch': $sort;
 
 (my $uri = $ENV{REQUEST_URI}) =~ s/\?.*//;