From de8d4cf5570142a647bfe81f13fa87a73802e4e8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Paul=20H=C3=A4nsch?= Date: Tue, 20 Aug 2019 13:59:02 +0200 Subject: [PATCH] path sanitizing for card parameter --- cards/edit_card.sh | 4 ++-- cards/index.cgi | 5 +++-- cards/update_card.sh | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/cards/edit_card.sh b/cards/edit_card.sh index 5a05194..61c58fe 100755 --- a/cards/edit_card.sh +++ b/cards/edit_card.sh @@ -20,8 +20,8 @@ locktimeout=900 . "$_EXEC"/session_lock.sh -card="$(GET card)" -cardfile="$_DATA/vcard/$card" +card="$(GET card |PATH)" +cardfile="$_DATA/vcard/${card##*/}" filter="$(REF f)" order="$(REF o)" diff --git a/cards/index.cgi b/cards/index.cgi index 6f44168..f1306f6 100755 --- a/cards/index.cgi +++ b/cards/index.cgi @@ -16,11 +16,12 @@ upcase=' y;abcdefghijklmnopqrstuvwxyzäöüé;ABCDEFGHIJKLMNOPQRSTUVWXYZÄÖÜÉ filter="$(GET f)" order="$(GET o)" -edit="$(GET e)" +edit="$(GET e |PATH)" + [ "$order" ] || order=firstname +edit="${edit##*/}" { w_filter_diag - printf ' [form class="newcard" action="/cards/new_card.sh" method="POST" [button type="submit" %s] diff --git a/cards/update_card.sh b/cards/update_card.sh index f44eb28..34db10c 100755 --- a/cards/update_card.sh +++ b/cards/update_card.sh @@ -27,8 +27,8 @@ unset vcf field cnt delete_key filter="$(REF f)" order="$(REF o)" -card="$(POST card)" -cardfile="$_DATA/vcard/$card" +card="$(POST card |PATH)" +cardfile="$_DATA/vcard/${card##*/}" attfile="$_DATA/mappings/attendance" action="$(POST action)" -- 2.39.2