From: Paul Hänsch Date: Tue, 20 Aug 2019 11:59:02 +0000 (+0200) Subject: path sanitizing for card parameter X-Git-Url: https://git.plutz.net/?a=commitdiff_plain;h=de8d4cf5570142a647bfe81f13fa87a73802e4e8;p=lobster path sanitizing for card parameter --- diff --git a/cards/edit_card.sh b/cards/edit_card.sh index 5a05194..61c58fe 100755 --- a/cards/edit_card.sh +++ b/cards/edit_card.sh @@ -20,8 +20,8 @@ locktimeout=900 . "$_EXEC"/session_lock.sh -card="$(GET card)" -cardfile="$_DATA/vcard/$card" +card="$(GET card |PATH)" +cardfile="$_DATA/vcard/${card##*/}" filter="$(REF f)" order="$(REF o)" diff --git a/cards/index.cgi b/cards/index.cgi index 6f44168..f1306f6 100755 --- a/cards/index.cgi +++ b/cards/index.cgi @@ -16,11 +16,12 @@ upcase=' y;abcdefghijklmnopqrstuvwxyzäöüé;ABCDEFGHIJKLMNOPQRSTUVWXYZÄÖÜÉ filter="$(GET f)" order="$(GET o)" -edit="$(GET e)" +edit="$(GET e |PATH)" + [ "$order" ] || order=firstname +edit="${edit##*/}" { w_filter_diag - printf ' [form class="newcard" action="/cards/new_card.sh" method="POST" [button type="submit" %s] diff --git a/cards/update_card.sh b/cards/update_card.sh index f44eb28..34db10c 100755 --- a/cards/update_card.sh +++ b/cards/update_card.sh @@ -27,8 +27,8 @@ unset vcf field cnt delete_key filter="$(REF f)" order="$(REF o)" -card="$(POST card)" -cardfile="$_DATA/vcard/$card" +card="$(POST card |PATH)" +cardfile="$_DATA/vcard/${card##*/}" attfile="$_DATA/mappings/attendance" action="$(POST action)"