arbitrary JSON file disclosure correction

The following securit issue has been fixed:
https://github.com/sebsauvage/ZeroBin/issues/30
This commit is contained in:
Sébastien SAUVAGE 2013-10-31 22:53:22 +01:00 committed by Simon Rupf
parent d850f343e5
commit c26c4a8bec

View File

@ -315,7 +315,7 @@ class zerobin
$dataid = $_SERVER['QUERY_STRING'];
// Is this a valid paste identifier?
if (preg_match('/[a-f\d]{16}/', $dataid))
if (preg_match('\A[a-f\d]{16}\z', $dataid))
{
// Check that paste exists.
if ($this->_model()->exists($dataid))