From 2f9951fe0e401ed231d61b8c3ad75531a6dbb797 Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Fri, 6 Jun 2014 11:48:15 -0300
Subject: Add some protection to parameters that come through _GET

---
 usr/local/www/status_services.php | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'usr/local')

diff --git a/usr/local/www/status_services.php b/usr/local/www/status_services.php
index 48f9db4..c08f773 100755
--- a/usr/local/www/status_services.php
+++ b/usr/local/www/status_services.php
@@ -41,16 +41,20 @@ require_once("guiconfig.inc");
 require_once("service-utils.inc");
 require_once("shortcuts.inc");
 
-if (!empty($_GET['service'])) {
+$service_name = '';
+if (isset($_GET['service']))
+	$service_name = htmlspecialchars($_GET['service']);
+
+if (!empty($service_name)) {
 	switch ($_GET['mode']) {
 		case "restartservice":
-			$savemsg = service_control_restart($_GET['service'], $_GET);
+			$savemsg = service_control_restart($service_name, $_GET);
 			break;
 		case "startservice":
-			$savemsg = service_control_start($_GET['service'], $_GET);
+			$savemsg = service_control_start($service_name, $_GET);
 			break;
 		case "stopservice":
-			$savemsg = service_control_stop($_GET['service'], $_GET);
+			$savemsg = service_control_stop($service_name, $_GET);
 			break;
 	}
 	sleep(5);
-- 
cgit v1.1