From c26c4a8bec66d8ea5882c42177ae27b9703e9a94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20SAUVAGE?= <sebsauvage@sebsauvage.net>
Date: Thu, 31 Oct 2013 22:53:22 +0100
Subject: [PATCH] arbitrary JSON file disclosure correction

The following securit issue has been fixed:
https://github.com/sebsauvage/ZeroBin/issues/30
---
 lib/zerobin.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/zerobin.php b/lib/zerobin.php
index 89585dbc..19d63ba2 100644
--- a/lib/zerobin.php
+++ b/lib/zerobin.php
@@ -315,7 +315,7 @@ class zerobin
         $dataid = $_SERVER['QUERY_STRING'];
 
         // Is this a valid paste identifier?
-        if (preg_match('/[a-f\d]{16}/', $dataid))
+        if (preg_match('\A[a-f\d]{16}\z', $dataid))
         {
             // Check that paste exists.
             if ($this->_model()->exists($dataid))