[FFmpeg-devel] [PATCH] fateserver/index: clean chars in sort parameter

Michael Niedermayer michael at niedermayer.cc
Mon Oct 16 23:36:04 EEST 2017


Prevents cross site scripting attack

Found-by: Pankaj Jadhav <pankajj736 at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 index.cgi | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/index.cgi b/index.cgi
index 030fb52..a164d3b 100755
--- a/index.cgi
+++ b/index.cgi
@@ -32,6 +32,8 @@ use URI::Escape;
 my @queries = split(/\/\//, uri_unescape param 'query') if (param 'query');
 
 my $sort = param('sort');
+$sort =~ s/[^A-Za-z0-9 ]*//g;
+param('sort', $sort);
 $sort    = $sort eq 'arch' ? 'subarch': $sort;
 
 (my $uri = $ENV{REQUEST_URI}) =~ s/\?.*//;
-- 
2.14.2



More information about the ffmpeg-devel mailing list