X-Git-Url: https://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Fnodes.php;h=a1e6456c3c5f89eaf78542503faaf1a26ce0ae34;hb=5586f4ec30ee38861b0a9135cdd88cf2b07e03c4;hp=ef084411e09ba510e153f8fb35e52f64f31739a3;hpb=fd15ea3a496d31453e21ac89ff4be0ae3fe671ef;p=mirrors%2FKyberia-bloodline.git

diff --git a/wwwroot/nodes.php b/wwwroot/nodes.php
index ef08441..a1e6456 100644
--- a/wwwroot/nodes.php
+++ b/wwwroot/nodes.php
@@ -67,14 +67,15 @@ $smarty->template_dir = TEMPLATE_DIR;
 //echo TEMPLATE_DIR.TEMPLATE_SET;
 //echo $smarty->template_dir;
 $smarty->compile_dir = SYSTEM_DATA."templates_c/";
-$smarty->config_dir = SMARTY_DIR.'configs/'; #XXX neexistuje
+$smarty->config_dir = SMARTY_DIR.'configs/'; //XXX neexistuje
 $smarty->cache_dir = SMARTY_DIR.'cache/';
 $smarty->plugins_dir = SMARTY_PLUGIN_DIR ;
 if ($_SESSION['debugging']) $smarty->debugging=true;
 
-//initializing variables
+// initializing variables
+// preg_replace prevents LFI
 if (empty($_POST['event'])) $event=false;
-else $event=$_POST['event'];
+else $event= preg_replace( "![^a-zA-Z0-9_]+!", "", $_POST['event']);
 
 
 if ($_SESSION['debugging']) {
@@ -360,7 +361,7 @@ if ($user_id=$_SESSION['user_id']) {
 				$user_id);
 	$newmailset = $db->query($newmail_q);
 
-#	$newmailset=$db->query("select user_mail,user_mail_name,user_k,k_wallet from users where user_id='$user_id'");
+//$newmailset=$db->query("select user_mail,user_mail_name,user_k,k_wallet from users where user_id='$user_id'");
 
 	$newmailset->next();
 	$new_mail=$newmailset->getString('user_mail');