From 276afe3de9db89965f1a86214b9d9b97cdf45b1e Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 16 Feb 2024 18:14:40 +0100
Subject: [PATCH] attempt to fix #2079 with a different way to validate input

---
 admin/batch_manager_global.php | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/admin/batch_manager_global.php b/admin/batch_manager_global.php
index 38d2f5006..937dba560 100644
--- a/admin/batch_manager_global.php
+++ b/admin/batch_manager_global.php
@@ -51,8 +51,21 @@ if (isset($_POST['nb_photos_deleted']))
 }
 else if (isset($_POST['setSelected']))
 {
-  check_input_parameter('whole_set', $_POST, false, '/^\d+(,\d+)*$/');
+  // Here we don't use check_input_parameter because preg_match has a limit in
+  // the repetitive pattern. Found a limit to 3276 but may depend on memory.
+  //
+  // check_input_parameter('whole_set', $_POST, false, '/^\d+(,\d+)*$/');
+  //
+  // Instead, let's break the input parameter into pieces and check pieces one by one.
   $collection = explode(',', $_POST['whole_set']);
+
+  foreach ($collection as $id)
+  {
+    if (!preg_match('/^\d+$/', $id))
+    {
+      fatal_error('[Hacking attempt] the input parameter "whole_set" is not valid');
+    }
+  }
 }
 else if (isset($_POST['selection']))
 {