ref: c7faa54ac73cd0fb2fc35b3e074071dd0b5c01fe
parent: 255eea6b9e7a886ccfcea5e19bbc95a773367085
author: sl <sl@gaff>
date: Mon Sep 2 22:20:21 EDT 2024
lib/core: implement rudimentary whitelist filter in parse_get_args() and parse_post_args()
--- a/lib/core
+++ b/lib/core
@@ -295,19 +295,17 @@
fn parse_get_args{if(! ~ $#get_arg_a_func 0)
- a_func=$get_arg_a_func
+ a_func=`{echo $get_arg_a_func | tr -cd 'a-zA-Z0-9_'}if(! ~ $#get_arg_a_id 0)
- a_id=$get_arg_a_id
+ a_id=`{echo $get_arg_a_id | tr -cd '0-9'}if(! ~ $#get_arg_id 0)
- id=$get_arg_id
+ id=`{echo $get_arg_id | tr -cd '0-9'}if(! ~ $#get_arg_start 0)
- start=$get_arg_start
+ start=`{echo $get_arg_start | tr -cd '0-9'}if(! ~ $#get_arg_stop 0)
- stop=$get_arg_stop
- if(! ~ $#get_arg_reply 0)
- reply=$get_arg_reply
+ stop=`{echo $get_arg_stop | tr -cd '0-9'}if(! ~ $#get_arg_tags 0)
- tags=$get_arg_tags
+ tags=`{echo $get_arg_tags | tr -cd 'a-zA-Z0-9_-'}}
fn parse_post_args{@@ -316,14 +314,14 @@
p='post_arg_'$"a
$a=$$p
}
- if(! ~ $#post_arg_a_download 0)
+ if(~ $#post_arg_a_download 0 1)
a_download=$post_arg_a_download
if(! ~ $#post_arg_a_func 0)
- a_func=$post_arg_a_func
+ a_func=`{echo $post_arg_a_func | tr -cd 'a-zA-Z0-9_'}if(! ~ $#post_arg_fake 0)
- fake=$post_arg_fake
+ fake=`{echo $post_arg_fake | tr -cd 'a-zA-Z0-9_-'}if(! ~ $#post_arg_a_id 0)
- a_id=$post_arg_a_id
+ a_id=`{echo $post_arg_a_id | tr -cd '0-9'}if(! ~ $#post_arg_url 0)
url=$post_arg_url
}