fixes #699, make sure $_GET['tab'] does not include unexpected chars

2025-04-26 19:29:58 +03:00 · 2017-06-02 10:10:50 +02:00 · 2017-06-02 10:10:50 +02:00 · 3ae62ce118
commit 3ae62ce118
parent 9fa8f3069c
1 changed files with 5 additions and 0 deletions
--- a/admin.php
+++ b/admin.php
@ -159,6 +159,11 @@ else
 $link_start = PHPWG_ROOT_PATH.'admin.php?page=';
 $conf_link = $link_start.'configuration&amp;section=';

+// $_GET['tab'] is often used to perform and
+// include('admin_page_'.$_GET['tab'].'.php') : we need to protect it to
+// avoid any unexpected file inclusion
+check_input_parameter('tab', $_GET, false, '/^[a-zA-Z\d_-]+$/');
+
 // +-----------------------------------------------------------------------+
 // | Template init                                                         |
 // +-----------------------------------------------------------------------+