From 196e3ed6c492476cdca269f2a64b2c375139af99 Mon Sep 17 00:00:00 2001
From: Ilia Ross <ilia@ross.gdn>
Date: Fri, 11 Apr 2025 12:43:35 +0300
Subject: [PATCH 1/2] Fix to drop trailing dot to align

---
 lang/en | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lang/en b/lang/en
index fa480eb64..0bbfdbb05 100644
--- a/lang/en
+++ b/lang/en
@@ -267,7 +267,7 @@ progress_size2=Downloading $1 ($2) ..
 progress_nosize=Downloading $1 ..
 progress_datan=Received $1 ($2 %)
 progress_data2n=Received $1
-progress_done=.. download complete.
+progress_done=.. download complete
 progress_incache=Found $1 in cache ..
 
 readparse_cdheader=Missing Content-Disposition header

From d2d16608dcb3a0fbde94592762e7c28268ac0ca5 Mon Sep 17 00:00:00 2001
From: Ilia Ross <ilia@ross.gdn>
Date: Fri, 11 Apr 2025 14:12:33 +0300
Subject: [PATCH 2/2] Fix to filter out potentially dangerous characters

https://github.com/webmin/webmin/issues/1838#issuecomment-2795296531
---
 web-lib-funcs.pl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index 29dad3119..a30cc5bcd 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -5255,8 +5255,11 @@ $config_file = "$config_directory/config";
 %gconfig = ( );
 &read_file_cached($config_file, \%gconfig);
 $gconfig{'webprefix'} = '' if (!exists($gconfig{'webprefix'}));
-if (!$gconfig{'webprefix'} && $gconfig{'webprefix_remote'}) {
+if (!$gconfig{'webprefix'} && $gconfig{'webprefix_remote'} &&
+    defined($ENV{'HTTP_X_WEBMIN_WEBPREFIX'})) {
 	$gconfig{'webprefix'} = $ENV{'HTTP_X_WEBMIN_WEBPREFIX'};
+	# Filter out potentially dangerous characters
+	$gconfig{'webprefix'} =~ s/[^a-zA-Z0-9\.\-_\/]//g;
 	}
 $null_file = $gconfig{'os_type'} eq 'windows' ? "NUL" : "/dev/null";
 $path_separator = $gconfig{'os_type'} eq 'windows' ? ';' : ':';