Skip to content

Commit

Permalink
Sanitize action and slug parameters.
Browse files Browse the repository at this point in the history
action: Allow only Latin letters, digits, underscores, and dashes.
slug: Strip characters that are not valid in file names.
  • Loading branch information
YahnisElsts committed May 23, 2017
1 parent c129e82 commit 395955f
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions includes/Wpup/Request.php
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ public function __construct($query, $headers, $clientIp = '0.0.0.0', $httpMethod
$this->clientIp = $clientIp;
$this->httpMethod = strtoupper($httpMethod);

$this->action = $this->param('action', '');
$this->slug = $this->param('slug', '');
$this->action = preg_replace('@[^a-z0-9\-_]@i', '', $this->param('action', ''));
$this->slug = preg_replace('@[:?/\\\]@i', '', $this->param('slug', ''));

//If the request was made via the WordPress HTTP API we can usually
//get WordPress version and site URL from the user agent.
Expand Down

0 comments on commit 395955f

Please sign in to comment.