From 0e6cf71b17cc57c40aebc64359c1a27e2515b7b7 Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Wed, 12 Mar 2014 11:35:57 -0300
Subject: Improve checks for params 'id', 'dup' and other similar ones to make
 sure they are numeric integer, also, pass them through htmlspecialchars()
 before print

---
 usr/local/www/services_captiveportal_ip_edit.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'usr/local/www/services_captiveportal_ip_edit.php')

diff --git a/usr/local/www/services_captiveportal_ip_edit.php b/usr/local/www/services_captiveportal_ip_edit.php
index f16532c..7473fc3 100755
--- a/usr/local/www/services_captiveportal_ip_edit.php
+++ b/usr/local/www/services_captiveportal_ip_edit.php
@@ -73,8 +73,9 @@ if (!is_array($config['captiveportal']))
         $config['captiveportal'] = array();
 $a_cp =& $config['captiveportal'];
 
-$id = $_GET['id'];
-if (isset($_POST['id']))
+if (is_numericint($_GET['id']))
+	$id = $_GET['id'];
+if (isset($_POST['id']) && is_numericint($_POST['id']))
 	$id = $_POST['id'];
 
 if (!is_array($config['captiveportal'][$cpzone]['allowedip']))
-- 
cgit v1.1