You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by he...@apache.org on 2021/08/23 08:49:51 UTC
svn commit: r1892540 - /spamassassin/trunk/masses/rule-qa/automc/ruleqa.cgi
Author: hege
Date: Mon Aug 23 08:49:51 2021
New Revision: 1892540
URL: http://svn.apache.org/viewvc?rev=1892540&view=rev
Log:
More parameter sanitatation
Modified:
spamassassin/trunk/masses/rule-qa/automc/ruleqa.cgi
Modified: spamassassin/trunk/masses/rule-qa/automc/ruleqa.cgi
URL: http://svn.apache.org/viewvc/spamassassin/trunk/masses/rule-qa/automc/ruleqa.cgi?rev=1892540&r1=1892539&r2=1892540&view=diff
==============================================================================
--- spamassassin/trunk/masses/rule-qa/automc/ruleqa.cgi (original)
+++ spamassassin/trunk/masses/rule-qa/automc/ruleqa.cgi Mon Aug 23 08:49:51 2021
@@ -1638,17 +1638,21 @@ sub precache_params {
next if ($k eq 'q'); # a shortcut, ignore for future refs
my $v = $self->{q}->param($k);
if (!defined $v) { $v = ''; }
- $self->{cgi_params}{$k} = "$k=".uri_escape($v);
+ $k =~ s/[<>]//gs;
+ $v =~ s/[<>]//gs;
+ $self->{cgi_params}{$k} = uri_escape($k)."=".uri_escape($v);
}
}
sub add_cgi_path_param { # assumes already escaped unless $not_escaped
my ($self, $k, $v, $not_escaped) = @_;
+ $k =~ s/[<>]//gs;
+ $v =~ s/[<>]//gs;
if (!defined $self->{cgi_params}{$k}) {
push (@{$self->{cgi_param_order}}, $k);
}
if ($not_escaped) {
- $self->{cgi_params}{$k} = $k."=".uri_escape($v);
+ $self->{cgi_params}{$k} = uri_escape($k)."=".uri_escape($v);
$self->{q}->param(-name=>$k, -value=>$v);
} else {
$self->{cgi_params}{$k} = $k."=".$v;