Ticket #48

ezmlm-web.cgi - synced regexps in create_list and untaint
2008-07-11 09:42:24 +00:00 · 2008-07-11 09:42:24 +00:00 · 00034f178d
parent 1f699d3cba
commit 00034f178d
1 changed files with 2 additions and 2 deletions
--- a/ezmlm-web.cgi
+++ b/ezmlm-web.cgi
@ -1457,7 +1457,7 @@ sub untaint {

 	# check the list name
 	if (defined($q->param('list')) &&
-			($q->param('list') =~ /[^\w\.-]/) &&
+			($q->param('list') !~ m/^[\w\d\_\-\.\/\@]+$/) &&
 			($q->param('action') !~ /^list_create_(do|ask)$/)) {
 		$warning = 'InvalidListName' if ($warning eq '');
 		$q->param(-name=>'list', -values=>'');
@ -1651,7 +1651,7 @@ sub create_list {
 	# dotqmail files may not contain uppercase letters
 	$qmail = lc($qmail);
 	$listname = $q->param('list');
-	if ($listname =~ m/[^\w\.-]/) {
+	if ($listname !~ m/^[\w\d\_\-\.\/\@]+$/) {
 		$warning = 'InvalidListName';
 		return (1==0);
   	}