fixes #573, check $_GET['tab'] against hacking attempt

git cherry-pick 4b33a0fd19
2026-03-28 17:42:57 +01:00 · 2017-01-01 19:04:18 +01:00
parent ec4cbb0464
commit 8596c7de90
1 changed files with 5 additions and 0 deletions
--- a/admin/languages.php
+++ b/admin/languages.php
@@ -31,9 +31,14 @@ include_once(PHPWG_ROOT_PATH.'admin/include/tabsheet.class.php');
 $my_base_url = get_root_url().'admin.php?page=languages';

 if (isset($_GET['tab']))
+{
+  check_input_parameter('tab', $_GET, false, '/^(installed|update|new)$/');
  $page['tab'] = $_GET['tab'];
+}
 else
+{
  $page['tab'] = 'installed';
+}

 $tabsheet = new tabsheet();
 $tabsheet->set_id('languages');