diff options
| author | Stefan Ritter <xeno@goliath.thehappy.de> | 2009-07-21 17:27:23 +0200 |
|---|---|---|
| committer | Stefan Ritter <xeno@goliath.thehappy.de> | 2009-07-21 17:27:23 +0200 |
| commit | 479e4490bcc1ba594ffaefc4b4a6fc6d7bb53126 (patch) | |
| tree | 2b28aa8d7f010d53a2de269bfad32afc3a54f6eb | |
| parent | 620353422308d99f7f3cd54167166b27a613711b (diff) | |
Fixed a grave security issue
| -rwxr-xr-x | blogthon.cgi | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/blogthon.cgi b/blogthon.cgi index 41359a2..8fa1c7d 100755 --- a/blogthon.cgi +++ b/blogthon.cgi @@ -123,9 +123,15 @@ except: errorpage("newest_first") # Read POST Variables action = cgi.FieldStorage() month_display = action.getvalue('m') + static_display = action.getvalue('s') +if static_display: static_display = re.sub('/', '', static_display) + post_display = action.getvalue('p') -if post_display: post_display = re.sub(' ', '-', post_display) +if post_display: + post_display = re.sub(' ', '-', post_display) + post_display = re.sub('/', '', post_display) + allentries_display = action.getvalue('a') feed_display = action.getvalue('feed') if not month_display: month_display = "" |