projects / fateserver.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8bd488a)
index: validate parameters.
authorNicolas George <george@nsup.org>
Sun, 8 Aug 2021 12:33:20 +0000 (14:33 +0200)
committerNicolas George <george@nsup.org>
Mon, 23 Aug 2021 10:26:36 +0000 (12:26 +0200)
query still needs to be validated, but it is only used
for strign operations, and the matter of double escaping
needs to be clarified first.

index.cgi patch | blob | history

diff --git a/index.cgi b/index.cgi
index 48cd076e3b0cc49cb2d5b0a55c229f8ac7d6a7d7..880de3c51b459d97da882bde71e18740c64ffc66 100755 (executable)
--- a/index.cgi
+++ b/index.cgi
@@ -33,10 +33,8 @@ use URI::Escape;
 # split(/:/, $this_query, 2);
 my @queries = split(/\/\//, uri_unescape param 'query') if (param 'query');
 
-my $sort = param('sort');
-$sort =~ s/[^A-Za-z0-9 ]*//g;
-param('sort', $sort);
-$sort    = $sort eq 'arch' ? 'subarch': $sort;
+my $sort = safeparam_sort;
+$sort = "subarch" if defined($sort) && $sort eq "arch";
 
 opendir D, $fatedir or fail 'Server error: $fatedir not found';
 my @slots = grep /^[^.]/, readdir D;
Fateserver git repo