Fix for another XSS hole
authorSteve McIntyre <steve@einval.com>
Sat, 26 Mar 2016 22:04:07 +0000 (22:04 +0000)
committerSteve McIntyre <steve@einval.com>
Sat, 26 Mar 2016 22:04:07 +0000 (22:04 +0000)
If we've detected an attempt to subvert the query term, don't print it
back at people! Reset the string.

find_file.cgi

index 1dbb0ef..3703265 100755 (executable)
@@ -297,6 +297,7 @@ if ( (!@chosen_areas) &&
 }
 
 if (defined($query_term) && $query_term =~ m/[\@\~\[\]\{\}|#\%\<\>\'\";\\\/]/) {
+    $q->param(-name=>'query', -value=>'');
     blank_form("Invalid query string");
 }