diff options
author | nachoparker <nacho@ownyourbits.com> | 2019-01-05 01:22:56 +0300 |
---|---|---|
committer | nachoparker <nacho@ownyourbits.com> | 2019-01-05 04:14:53 +0300 |
commit | c842e00399cb298667fe177dbab825e17b4b21a0 (patch) | |
tree | 55a80c3a09b9c4151fad10966d301b314dbec37d /ncp-web | |
parent | 7dd482893854079cbaf62671166a75330e3141dd (diff) |
sanitize params
Diffstat (limited to 'ncp-web')
-rw-r--r-- | ncp-web/ncp-launcher.php | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/ncp-web/ncp-launcher.php b/ncp-web/ncp-launcher.php index 8590b066..6f103f6b 100644 --- a/ncp-web/ncp-launcher.php +++ b/ncp-web/ncp-launcher.php @@ -58,7 +58,15 @@ if ( $_POST['action'] == "launch" && $_POST['config'] ) or exit('{ "output": "Invalid request" }'); foreach ($cfg['params'] as $index => $param) - $cfg['params'][$index]['value'] = $new_params[$cfg['params'][$index]['id']]; + { + // sanitize + $val = trim(escapeshellarg($new_params[$cfg['params'][$index]['id']]),"'"); + preg_match( '/ /' , $val , $matches ) + and exit( '{ "output": "Invalid parameters" , "token": "' . getCSRFToken() . '" }' ); + + // save + $cfg['params'][$index]['value'] = $val; + } $cfg_str = json_encode($cfg) or exit('{ "output": "' . $ncp_app . ' internal error" }'); |