From 01d650ca06a688e68a22f210479a3c7d13b0bde8 Mon Sep 17 00:00:00 2001
From: Ilia Ross <ilia@ross.gdn>
Date: Tue, 10 Mar 2026 17:29:17 +0200
Subject: [PATCH] Fix fsdump stored extra option validation on save (#6)

---
 fsdump/save_dump.cgi | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fsdump/save_dump.cgi b/fsdump/save_dump.cgi
index aeb900c43..3da8d5e3e 100755
--- a/fsdump/save_dump.cgi
+++ b/fsdump/save_dump.cgi
@@ -75,6 +75,10 @@ else {
 	$dump->{'email'} = $in{'email_def'} ? '*' : $in{'email'};
 	$dump->{'subject'} = $in{'subject_def'} ? undef : $in{'subject'};
 	if ($access{'extra'}) {
+		if (defined($in{'extra'}) &&
+			$in{'extra'} =~ /[;&|`\$<>\r\n\0]/) {
+			&error("Invalid extra command-line parameters");
+			}
 		$dump->{'extra'} = $in{'extra'};
 		}
 	if ($access{'cmds'}) {