Digitalstack/myaac
2
0
Fork 0
mirror of https://github.com/slawkens/myaac.git synced 2025-04-27 09:49:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

Security fix

Browse Source 
Don't allow slash in URL
This commit is contained in:
slawkens 2021-07-03 08:38:32 +02:00
parent 6a4dbcef62
commit ef2a408298
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
index.php
View File

@ -81,7 +81,7 @@ if(empty($uri) || isset($_REQUEST['template'])) {
}
else {
$tmp = strtolower($uri);
if(!preg_match('/[^A-z0-9_\-]/', $uri) && file_exists(SYSTEM . 'pages/' . $tmp . '.php')) {
if(preg_match('/^[A-z0-9_\-]+$/', $uri) && file_exists(SYSTEM . 'pages/' . $tmp . '.php')) {
$_REQUEST['p'] = $uri;
$found = true;
}
@ -156,18 +156,20 @@ else {
// define page visited, so it can be used within events system
$page = isset($_REQUEST['subtopic']) ? $_REQUEST['subtopic'] : (isset($_REQUEST['p']) ? $_REQUEST['p'] : '');
if(empty($page) || !preg_match('/^[A-z0-9\_\-]+$/', $page)) {
if(empty($page) || !preg_match('/^[A-z0-9_\-]+$/', $page)) {
if(!$found) {
$page = '404';
}
else {
$tmp = URI;
if (!empty($tmp)) {
$page = $tmp;
}
else {
if(!$found)
$page = '404';
else
$page = 'news';
}
}
}
$page = strtolower($page);
define('PAGE', $page);