limit the update-check.cgi to parse for cmd=download and not parse arbitrary query string options.

jens-maus · jens-maus · commit 94651d000528 · 2022-06-17T15:45:44.000+02:00
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.4
+2.5
diff --git a/www/update-check.cgi b/www/update-check.cgi
@@ -7,8 +7,9 @@ catch {
   set input $env(QUERY_STRING)
   set pairs [split $input &]
   foreach pair $pairs {
-    if {0 != [regexp "^(\[^=]*)=(.*)$" $pair dummy varname val]} {
-      set $varname $val
+    if {$pair == "cmd=download"} {
+      set cmd "download"
+      break
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,9 @@ catch {`
`7`	`7`	`set input $env(QUERY_STRING)`
`8`	`8`	`set pairs [split $input &]`
`9`	`9`	`foreach pair $pairs {`
`10`		`- if {0 != [regexp "^(\[^=])=(.)$" $pair dummy varname val]} {`
`11`		`- set $varname $val`
	`10`	`+ if {$pair == "cmd=download"} {`
	`11`	`+ set cmd "download"`
	`12`	`+ break`
`12`	`13`	`}`
`13`	`14`	`}`
`14`	`15`	`}`