From 5d0a02c722ce9345b93b66fd7cebedc0b7584751 Mon Sep 17 00:00:00 2001
From: Rod Roark <rod@sunsetsystems.com>
Date: Fri, 8 Apr 2011 06:21:24 -0700
Subject: [PATCH] Security fix for site ID.

---
 index.php             | 3 +++
 interface/globals.php | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/index.php b/index.php
index a3454d369..1b5c95426 100644
--- a/index.php
+++ b/index.php
@@ -14,6 +14,9 @@ else if (is_dir("sites/" . $_SERVER['HTTP_HOST']))
 else
   $site_id = 'default';
 
+if (empty($site_id) || preg_match('/[^A-Za-z0-9\\-.]/', $site_id))
+  die("Site ID '$site_id' contains invalid characters.");
+
 require_once("sites/$site_id/sqlconf.php");
 ?>
 <html>
diff --git a/interface/globals.php b/interface/globals.php
index e08a7b225..0ae344f06 100644
--- a/interface/globals.php
+++ b/interface/globals.php
@@ -127,6 +127,8 @@ if (empty($_SESSION['site_id']) || !empty($_GET['site'])) {
     $tmp = $_SERVER['HTTP_HOST'];
     if (!is_dir($GLOBALS['OE_SITES_BASE'] . "/$tmp")) $tmp = "default";
   }
+  if (empty($tmp) || preg_match('/[^A-Za-z0-9\\-.]/', $tmp))
+    die("Site ID '$tmp' contains invalid characters.");
   if (!isset($_SESSION['site_id']) || $_SESSION['site_id'] != $tmp) {
     $_SESSION['site_id'] = $tmp;
     error_log("Session site ID has been set to '$tmp'"); // debugging
-- 
2.11.4.GIT