From c760e7a646d58714b6db7b893d8b49599066e8d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20=28fser=29?= <fser@code-libre.org>
Date: Tue, 11 Oct 2016 20:59:40 +0200
Subject: [PATCH] limits the authorized characters for listname, to avoid
 command injection in the cron robots

---
 bureau/admin/mman_doadd.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bureau/admin/mman_doadd.php b/bureau/admin/mman_doadd.php
index 910c03b..a122e55 100644
--- a/bureau/admin/mman_doadd.php
+++ b/bureau/admin/mman_doadd.php
@@ -34,6 +34,12 @@
 );
 getFields($fields);
 
+if (preg_match('/^\w+$/', $login) === 0) {
+	$error=_('Invalid list name (only letters, digits and underscore).');
+	include("mman_add.php");
+	exit();
+}
+
 $r=$mailman->add_lst($domain,$login,$owner,$pass,$pass2);
 if (!$r) {
 	$error=$err->errstr();