From 7d5d1600d6bf955e8512292529f752686d7a6537 Mon Sep 17 00:00:00 2001
From: Kevin Yeh <kevinyeh@alum.mit.edu>
Date: Sat, 28 Jan 2012 08:17:52 -0500
Subject: [PATCH] Applying sanitization to formname directory for deleting
 forms.  Also changing to  rather than GET because the confirm sends the
 formname back as a post

---
 interface/patient_file/encounter/delete_form.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/interface/patient_file/encounter/delete_form.php b/interface/patient_file/encounter/delete_form.php
index dcdc4ef84..912e2f72a 100644
--- a/interface/patient_file/encounter/delete_form.php
+++ b/interface/patient_file/encounter/delete_form.php
@@ -2,7 +2,10 @@
 include_once("../../globals.php");
 
 // allow a custom 'delete' form
-$deleteform = $incdir . "/forms/" . $_GET["formname"]."/delete.php";
+$deleteform = $incdir . "/forms/" . $_REQUEST["formname"]."/delete.php";
+
+check_file_dir_name($_REQUEST["formname"]);
+
 if (file_exists($deleteform)) {
     include_once($deleteform);
     exit;
-- 
2.11.4.GIT