Fix XSS

author Jamie Cameron <jcameron@webmin.com>

Thu, 14 Feb 2008 08:27:59 +0000 (08:27 +0000)

committer Jamie Cameron <jcameron@webmin.com>

Thu, 14 Feb 2008 08:27:59 +0000 (08:27 +0000)
author Jamie Cameron <jcameron@webmin.com>
Thu, 14 Feb 2008 08:27:59 +0000 (08:27 +0000)
committer Jamie Cameron <jcameron@webmin.com>
Thu, 14 Feb 2008 08:27:59 +0000 (08:27 +0000)
diff --git a/uptracker.cgi b/uptracker.cgi

index e2cddd8..80a4dac 100755 (executable)
--- a/uptracker.cgi
+++ b/uptracker.cgi
@@ -1,14 +1,14 @@
  #!/usr/local/bin/perl
  # Output Javascript in a loop to track an upload
-# XXX add to more modules
  
+$trust_unknown_referers = 1;
  require './web-lib.pl';
  &init_config();
  do './ui-lib.pl';
  &ReadParse();
  $id = $in{'id'};
  $id || &error($text{'uptracker_eid'});
-$id !~ /\.\./ && $id !~ /\0/ || &error($text{'uptracker_eid2'});
+$id =~ /^[a-z0-9_]+$/i || &error($text{'uptracker_eid2'});
  
  &popup_header($text{'uptracker_title'}, undef,
               "onunload='if (!window.doneupload) { opener.stop() }'");
author	Jamie Cameron <jcameron@webmin.com>
	Thu, 14 Feb 2008 08:27:59 +0000 (08:27 +0000)
committer	Jamie Cameron <jcameron@webmin.com>
	Thu, 14 Feb 2008 08:27:59 +0000 (08:27 +0000)