From e41ec5848f21015068255c1d61d01edf442e8e7e Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Wed, 12 Mar 2014 11:35:57 -0300
Subject: Improve checks for params 'id', 'dup' and other similar ones to make
 sure they are numeric integer, also, pass them through htmlspecialchars()
 before print

---
 usr/local/www/vpn_l2tp_users_edit.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'usr/local/www/vpn_l2tp_users_edit.php')

diff --git a/usr/local/www/vpn_l2tp_users_edit.php b/usr/local/www/vpn_l2tp_users_edit.php
index f4ef5f0..1dd0a82 100644
--- a/usr/local/www/vpn_l2tp_users_edit.php
+++ b/usr/local/www/vpn_l2tp_users_edit.php
@@ -59,8 +59,9 @@ if (!is_array($config['l2tp']['user'])) {
 }
 $a_secret = &$config['l2tp']['user'];
 
-$id = $_GET['id'];
-if (isset($_POST['id']))
+if (is_numericint($_GET['id']))
+	$id = $_GET['id'];
+if (isset($_POST['id']) && is_numericint($_POST['id']))
 	$id = $_POST['id'];
 
 if (isset($id) && $a_secret[$id]) {
-- 
cgit v1.1