fixes #847, CVE-2018-5692 protect a few user input variables

2026-03-28 17:42:57 +01:00 · 2018-07-11 11:22:31 +02:00
parent 23fa4c1a73
commit 69345c06e2
5 changed files with 8 additions and 0 deletions
--- a/admin.php
+++ b/admin.php
@@ -42,6 +42,7 @@ trigger_notify('loc_begin_admin');
 check_status(ACCESS_ADMINISTRATOR);

 check_input_parameter('page', $_GET, false, '/^[a-zA-Z\d_-]+$/');
+check_input_parameter('section', $_GET, false, '/^[a-z]+[a-z_\/-]*(\.php)?$/i');

 // +-----------------------------------------------------------------------+
 // | Direct actions                                                        |