From 0f1f8ad8a8fb17ab350f751468ead5b4faecd3cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Tue, 25 Feb 2020 10:46:39 +0100
Subject: [PATCH] Make errorreport.php verify the format of report IDs

---
 www/errorreport.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/www/errorreport.php b/www/errorreport.php
index 1c8071305..025a81ede 100644
--- a/www/errorreport.php
+++ b/www/errorreport.php
@@ -17,6 +17,10 @@ $reportId = $_REQUEST['reportId'];
 $email = $_REQUEST['email'];
 $text = $_REQUEST['text'];
 
+if (!preg_match('/^[0-9a-f]{8}$/', $reportId)) {
+    throw new \SimpleSAML\Error\Exception('Invalid reportID');
+}
+
 $data = null;
 try {
     $session = \SimpleSAML\Session::getSessionFromRequest();
-- 
GitLab