More sanitisation
authorSteve McIntyre <steve@einval.com>
Sun, 27 Mar 2016 01:35:21 +0000 (02:35 +0100)
committerSteve McIntyre <steve@einval.com>
Sun, 27 Mar 2016 01:35:21 +0000 (02:35 +0100)
find_file.cgi

index 3703265..6d32b98 100755 (executable)
@@ -296,9 +296,22 @@ if ( (!@chosen_areas) &&
     blank_form("");
 }
 
-if (defined($query_term) && $query_term =~ m/[\@\~\[\]\{\}|#\%\<\>\'\";\\\/]/) {
-    $q->param(-name=>'query', -value=>'');
-    blank_form("Invalid query string");
+if (defined($query_term)) {
+    if ($query_term =~ m/[\@\~\[\]\{\}|#\%\<\>\'\";\\\/]/) {
+       $q->param(-name=>'query', -value=>'');
+       $q->param(-name=>'type', -value=>'');
+       $q->param(-name=>'search_area', -value=>());
+       blank_form("Invalid query string");
+    }
+}
+
+if (defined($query_type)) {
+    if (!($query_type eq "exact" or $query_type eq "simple")) {
+       $q->param(-name=>'query', -value=>'');
+       $q->param(-name=>'type', -value=>'');
+       $q->param(-name=>'search_area', -value=>());
+       blank_form("Invalid query string");
+    }
 }
 
 if (!(@chosen_areas) && defined($query_term)) {