Skip to content

Commit

Permalink
Merge pull request #4 from fser/master
Browse files Browse the repository at this point in the history
limits the authorized characters for listname, to avoid command injection
  • Loading branch information
albancrommer authored Jun 21, 2018
2 parents 9847152 + c760e7a commit fc18031
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions bureau/admin/mman_doadd.php
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@
);
getFields($fields);

if (preg_match('/^\w+$/', $login) === 0) {
$error=_('Invalid list name (only letters, digits and underscore).');
include("mman_add.php");
exit();
}

$r=$mailman->add_lst($domain,$login,$owner,$pass,$pass2);
if (!$r) {
include("mman_add.php");
Expand Down

0 comments on commit fc18031

Please sign in to comment.