diff options
| author | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-07-02 07:10:13 +0200 |
|---|---|---|
| committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-07-02 08:22:51 +0200 |
| commit | 06b7099357b78468cf2d98ca3bd9143799952966 (patch) | |
| tree | a37c85fccde4ecddddf327850d367028b85086c3 /web | |
| parent | e141c6c38cad0e0572e16c24f1caf59acb75b3e7 (diff) | |
| download | aurweb-06b7099357b78468cf2d98ca3bd9143799952966.tar.xz | |
Validate package base name when filing requests
Make sure that the package base to merge into does not contain any
invalid characters.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web')
| -rw-r--r-- | web/html/pkgbase.php | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php index adc6118..c246b6f 100644 --- a/web/html/pkgbase.php +++ b/web/html/pkgbase.php @@ -97,7 +97,12 @@ if (check_token()) { } elseif (current_action("do_ChangeCategory")) { list($ret, $output) = pkgbase_change_category($base_id, $atype); } elseif (current_action("do_FileRequest")) { - list($ret, $output) = pkgreq_file($ids, $_POST['type'], $_POST['merge_into'], $_POST['comments']); + if (empty($_POST['merge_into']) || preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $_POST['merge_into'])) { + list($ret, $output) = pkgreq_file($ids, $_POST['type'], $_POST['merge_into'], $_POST['comments']); + } else { + $output = __("Invalid name: only lowercase letters are allowed."); + $ret = false; + } } elseif (current_action("do_CloseRequest")) { list($ret, $output) = pkgreq_close($_POST['reqid'], false); } |