Fix param name

Fix to consider unsafe params in index page referer check
2026-02-03 14:13:29 +00:00 · 2024-06-21 20:11:32 +03:00 · 2024-06-21 20:05:04 +03:00
1 changed files with 2 additions and 1 deletions
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -5540,6 +5540,7 @@ my $unsafe_index = $unsafe_index_cgi ||
 		   &get_module_variable('$unsafe_index_cgi');
 my $trustvar = $trust_unknown_referers ||
 	       &get_module_variable('$trust_unknown_referers');
+my $unsafe_params = $ENV{'REQUEST_URI'} =~ /xhr/i;
 my $trust = 0;
 if (!$0) {
 	# Script name not known
@@ -5555,7 +5556,7 @@ elsif ($ENV{'DISABLE_REFERERS_CHECK'}) {
 	}
 elsif (($ENV{'SCRIPT_NAME'} =~ /^\/(index.cgi)?$/ ||
 	$ENV{'SCRIPT_NAME'} =~ /^\/([a-z0-9\_\-]+)\/(index.cgi)?$/i) &&
-       !$unsafe_index) {
+       !$unsafe_index && !$unsafe_params) {
 	# Script is a module's index.cgi, which is normally safe
 	$trust = 1;
 	}
Author	SHA1	Message	Date
Ilia Ross	7231eedf20	Fix param name	2024-06-21 20:11:32 +03:00
Ilia Ross	d69609f49a	Fix to consider unsafe params in index page referer check	2024-06-21 20:05:04 +03:00