path sanitizing for card parameter

[confetti] / cards / index.cgi

diff --git a/cards/index.cgi b/cards/index.cgi
index 6f44168fa0914e239a086a05bf0b9ee26b4481a7..f1306f6aeb0ed05f395a2580fed9fe2f85b62a7e 100755 (executable)
--- a/cards/index.cgi
+++ b/cards/index.cgi
@@ -16,11 +16,12 @@ upcase=' y;abcdefghijklmnopqrstuvwxyzäöüé;ABCDEFGHIJKLMNOPQRSTUVWXYZÄÖÜÉ
 
 filter="$(GET f)"
 order="$(GET o)"
-edit="$(GET e)"
+edit="$(GET e |PATH)"
+
 [ "$order" ] || order=firstname
+edit="${edit##*/}"
 
 { w_filter_diag
-
   printf '
   [form class="newcard" action="/cards/new_card.sh" method="POST"
     [button type="submit" %s]