better input validation in files/index.php SC#307

2025-04-13 12:32:08 +02:00 · 2006-08-30 08:03:12 +00:00 · 2006-08-30 08:03:12 +00:00 · 61212e3f96
commit 61212e3f96
parent 02b22073b8
1 changed files with 1 additions and 1 deletions
--- a/files/index.php
+++ b/files/index.php
@ -16,7 +16,7 @@
    $action  = optional_param('action', '', PARAM_ACTION);
    $name    = optional_param('name', '', PARAM_FILE);
    $oldname = optional_param('oldname', '', PARAM_FILE);
-    $choose  = optional_param('choose', '', PARAM_CLEAN);
+    $choose  = optional_param('choose', '', PARAM_FILE); //in fact it is always 'formname.inputname'
    $userfile= optional_param('userfile','',PARAM_FILE);
    $save    = optional_param('save', 0, PARAM_BOOL);
    $text    = optional_param('text', '', PARAM_RAW);