Digitalstack/myaac
2
0
Fork 0
mirror of https://github.com/slawkens/myaac.git synced 2025-04-27 09:49:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

Security fix

Browse Source 
Don't allow slash in URL
This commit is contained in:
slawkens 2021-07-03 08:38:32 +02:00
parent 6a4dbcef62
commit ef2a408298
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
index.php
View File

@ -81,7 +81,7 @@ if(empty($uri) || isset($_REQUEST['template'])) {
} }
else { else {
$tmp = strtolower($uri); $tmp = strtolower($uri);
if(!preg_match('/[^A-z0-9_\-]/', $uri) && file_exists(SYSTEM . 'pages/' . $tmp . '.php')) { if(preg_match('/^[A-z0-9_\-]+$/', $uri) && file_exists(SYSTEM . 'pages/' . $tmp . '.php')) {
$_REQUEST['p'] = $uri; $_REQUEST['p'] = $uri;
$found = true; $found = true;
} }
@ -156,16 +156,18 @@ else {
// define page visited, so it can be used within events system // define page visited, so it can be used within events system
$page = isset($_REQUEST['subtopic']) ? $_REQUEST['subtopic'] : (isset($_REQUEST['p']) ? $_REQUEST['p'] : ''); $page = isset($_REQUEST['subtopic']) ? $_REQUEST['subtopic'] : (isset($_REQUEST['p']) ? $_REQUEST['p'] : '');
if(empty($page) || !preg_match('/^[A-z0-9\_\-]+$/', $page)) { if(empty($page) || !preg_match('/^[A-z0-9_\-]+$/', $page)) {
$tmp = URI; if(!$found) {
if(!empty($tmp)) { $page = '404';
$page = $tmp;
} }
else { else {
if(!$found) $tmp = URI;
$page = '404'; if (!empty($tmp)) {
else $page = $tmp;
}
else {
$page = 'news'; $page = 'news';
}
} }
} }