From 6e32d276d0e30f7c1443b2a86b18df79da91c3ac Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Fri, 12 Dec 2008 18:20:37 +0000
Subject: Do not allow \ in fieldnames.

---
 usr/local/www/pkg_edit.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'usr/local/www/pkg_edit.php')

diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php
index 05b61cb..dde4af9 100755
--- a/usr/local/www/pkg_edit.php
+++ b/usr/local/www/pkg_edit.php
@@ -159,10 +159,11 @@ if ($_POST) {
 						} else {
 						  if($firstfield == $rowhelperfield['fieldname']) $rows++;
 						}
-						$comd = "\$value = \$_POST['" . $rowhelperfield['fieldname'] . $x . "'];";
+						$fieldname = str_replace("\\", "", $rowhelperfield['fieldname']);
+						$fieldname = "\$value = \$_POST['" . $fieldname . $x . "'];";
 						eval($comd);
 						if($value <> "") {
-							$comd = "\$pkgarr['row'][" . $x . "]['" . $rowhelperfield['fieldname'] . "'] = \"" . $value . "\";";
+							$comd = "\$pkgarr['row'][" . $x . "]['" . $fieldname . "'] = \"" . $value . "\";";
 							//echo($comd . "<br>");
 							eval($comd);
 						}
-- 
cgit v1.1