path sanitizing for card parameter
authorPaul Hänsch <paul@plutz.net>
Tue, 20 Aug 2019 11:59:02 +0000 (13:59 +0200)
committerPaul Hänsch <paul@plutz.net>
Tue, 20 Aug 2019 11:59:02 +0000 (13:59 +0200)
cards/edit_card.sh
cards/index.cgi
cards/update_card.sh

index 5a05194..61c58fe 100755 (executable)
@@ -20,8 +20,8 @@
 locktimeout=900
 . "$_EXEC"/session_lock.sh
 
-card="$(GET card)"
-cardfile="$_DATA/vcard/$card"
+card="$(GET card |PATH)"
+cardfile="$_DATA/vcard/${card##*/}"
 filter="$(REF f)"
 order="$(REF o)"
 
index 6f44168..f1306f6 100755 (executable)
@@ -16,11 +16,12 @@ upcase=' y;abcdefghijklmnopqrstuvwxyzäöüé;ABCDEFGHIJKLMNOPQRSTUVWXYZÄÖÜÉ
 
 filter="$(GET f)"
 order="$(GET o)"
-edit="$(GET e)"
+edit="$(GET e |PATH)"
+
 [ "$order" ] || order=firstname
+edit="${edit##*/}"
 
 { w_filter_diag
-
   printf '
   [form class="newcard" action="/cards/new_card.sh" method="POST"
     [button type="submit" %s]
index f44eb28..34db10c 100755 (executable)
@@ -27,8 +27,8 @@ unset vcf field cnt delete_key
 filter="$(REF f)"
 order="$(REF o)"
 
-card="$(POST card)"
-cardfile="$_DATA/vcard/$card"
+card="$(POST card |PATH)"
+cardfile="$_DATA/vcard/${card##*/}"
 attfile="$_DATA/mappings/attendance"
 
 action="$(POST action)"