Item13897: Validate the defaultweb parameter.

Don't accept it unvalidated / untainted.
foswiki · Oct 30, 2016 · f023a40 · f023a40
1 parent 0069647
commit f023a40
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/core/lib/Foswiki/Request.pm b/core/lib/Foswiki/Request.pm
@@ -1250,9 +1250,15 @@ sub _establishParamList {
 
 sub _establishWeb {
     my $this = shift;
-    return ( $this->_pathParsed->{web}
-          || $this->param('defaultweb')
-          || $this->app->cfg->data->{UsersWebName} );
+
+    if ( $this->_pathParsed->{web} ) {
+        return $this->_pathParsed->{web};
+    }
+    elsif ( $this->param('defaultweb') ) {
+        return Foswiki::Sandbox::untaint( $this->param('defaultweb'),
+            \&Foswiki::Sandbox::validateWebName );
+    }
+    return $this->app->cfg->data->{UsersWebName};
 }
 
 sub _establishTopic {