From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001 From: Marius Cramer <m.cramer@pixcept.de> Date: Thu, 06 Aug 2015 03:18:44 -0400 Subject: [PATCH] - don't set password via remoting if field is empty --- interface/web/capp.php | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/interface/web/capp.php b/interface/web/capp.php index 2c14318..3939269 100644 --- a/interface/web/capp.php +++ b/interface/web/capp.php @@ -43,6 +43,7 @@ } if(!preg_match("/^[a-z]{2,20}$/i", $mod)) die('module name contains unallowed chars.'); +if($redirect != '' && !preg_match("/^[a-z0-9]+\/[a-z0-9_\.\-]+\?id=[0-9]{1,9}$/i", $redirect)) die('redirect contains unallowed chars.'); //* Check if user may use the module. $user_modules = explode(",", $_SESSION["s"]["user"]["modules"]); -- Gitblit v1.9.1