iarv/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-03-28 17:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixes #699, make sure $_GET['tab'] does not include unexpected chars

Browse Source
This commit is contained in:
plegall
2017-06-02 10:10:50 +02:00
parent 9fa8f3069c
commit 3ae62ce118
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
admin.php
View File

@@ -159,6 +159,11 @@ else
$link_start = PHPWG_ROOT_PATH.'admin.php?page='; $link_start = PHPWG_ROOT_PATH.'admin.php?page=';
$conf_link = $link_start.'configuration&section='; $conf_link = $link_start.'configuration&section=';
// $_GET['tab'] is often used to perform and
// include('admin_page_'.$_GET['tab'].'.php') : we need to protect it to
// avoid any unexpected file inclusion
check_input_parameter('tab', $_GET, false, '/^[a-zA-Z\d_-]+$/');
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+
// | Template init | // | Template init |
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+