[FFmpeg-devel] [PATCH] fateserver/index: clean chars in sort parameter
Michael Niedermayer
michael at niedermayer.cc
Mon Oct 16 23:36:04 EEST 2017
Prevents cross site scripting attack
Found-by: Pankaj Jadhav <pankajj736 at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
index.cgi | 2 ++
1 file changed, 2 insertions(+)
diff --git a/index.cgi b/index.cgi
index 030fb52..a164d3b 100755
--- a/index.cgi
+++ b/index.cgi
@@ -32,6 +32,8 @@ use URI::Escape;
my @queries = split(/\/\//, uri_unescape param 'query') if (param 'query');
my $sort = param('sort');
+$sort =~ s/[^A-Za-z0-9 ]*//g;
+param('sort', $sort);
$sort = $sort eq 'arch' ? 'subarch': $sort;
(my $uri = $ENV{REQUEST_URI}) =~ s/\?.*//;
--
2.14.2
More information about the ffmpeg-devel
mailing list