Skip to content

Commit

Permalink
FIX #3: CVE-2014-3926: XSS in <title> via "addr" parameter
Browse files Browse the repository at this point in the history 
This code is from 04adc9d
  • Loading branch information
@Cougar
Cougar committed Jun 22, 2014
1 parent a686dc8 commit 12339bf
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions lg.cgi
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,9 @@ if ((! defined $router_list{$FORM{router}}) ||
exit;
}

$FORM{addr} =~ s/\s.*// if (($FORM{query} eq "ping") || ($FORM{query} eq "trace"));
$FORM{addr} =~ s/[^\s\d\.:\w\-_\/\$]//g;

if ($router_list{$FORM{router}} =~ /^http[s]{0,1}:/) {
if ($logfile ne "") {
print LOG " \"$FORM{router}\" \"$FORM{query}" . ($FORM{addr} ne "" ? " $FORM{addr}" : "") . "\"\n";
Expand Down

0 comments on commit 12339bf

Please sign in to comment.