path sanitizing for card parameter

diff --git a/cards/edit_card.sh b/cards/edit_card.sh
index 5a051949ae72c89e686aea1672440d16a4f39d27..61c58fe815c10cb456f5f9e3c73c4bd8d52c9c00 100755 (executable)
--- a/cards/edit_card.sh
+++ b/cards/edit_card.sh
@@ -20,8 +20,8 @@
 locktimeout=900
 . "$_EXEC"/session_lock.sh
 
-card="$(GET card)"
-cardfile="$_DATA/vcard/$card"
+card="$(GET card |PATH)"
+cardfile="$_DATA/vcard/${card##*/}"
 filter="$(REF f)"
 order="$(REF o)"
 

diff --git a/cards/index.cgi b/cards/index.cgi
index 6f44168fa0914e239a086a05bf0b9ee26b4481a7..f1306f6aeb0ed05f395a2580fed9fe2f85b62a7e 100755 (executable)
--- a/cards/index.cgi
+++ b/cards/index.cgi
@@ -16,11 +16,12 @@ upcase=' y;abcdefghijklmnopqrstuvwxyzäöüé;ABCDEFGHIJKLMNOPQRSTUVWXYZÄÖÜÉ
 
 filter="$(GET f)"
 order="$(GET o)"
-edit="$(GET e)"
+edit="$(GET e |PATH)"
+
 [ "$order" ] || order=firstname
+edit="${edit##*/}"
 
 { w_filter_diag
-
   printf '
   [form class="newcard" action="/cards/new_card.sh" method="POST"
     [button type="submit" %s]

diff --git a/cards/update_card.sh b/cards/update_card.sh
index f44eb28b8d534b5f69bb277d4ba693925ca8dd4e..34db10cfb740bdf23493b1590b221c8167b3581a 100755 (executable)
--- a/cards/update_card.sh
+++ b/cards/update_card.sh
@@ -27,8 +27,8 @@ unset vcf field cnt delete_key
 filter="$(REF f)"
 order="$(REF o)"
 
-card="$(POST card)"
-cardfile="$_DATA/vcard/$card"
+card="$(POST card |PATH)"
+cardfile="$_DATA/vcard/${card##*/}"
 attfile="$_DATA/mappings/attendance"
 
 action="$(POST action)"