From e644c029954cf6de4e9e9690da72b97a17ea1c85 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 21 May 2015 03:20:42 -0400
Subject: [PATCH] Merge remote-tracking branch 'ispc/stable-3.0.5' into stable-3.0.5

---
 interface/web/capp.php |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/interface/web/capp.php b/interface/web/capp.php
index 2c14318..3939269 100644
--- a/interface/web/capp.php
+++ b/interface/web/capp.php
@@ -43,6 +43,7 @@
 }
 
 if(!preg_match("/^[a-z]{2,20}$/i", $mod)) die('module name contains unallowed chars.');
+if($redirect != '' && !preg_match("/^[a-z0-9]+\/[a-z0-9_\.\-]+\?id=[0-9]{1,9}$/i", $redirect)) die('redirect contains unallowed chars.');
 
 //* Check if user may use the module.
 $user_modules = explode(",", $_SESSION["s"]["user"]["modules"]);

--
Gitblit v1.9.1