From 8fa299b2f2cd6a659ea3508140782e0e1f471b4c Mon Sep 17 00:00:00 2001
From: Silvan Calarco <silvan.calarco@mambasoft.it>
Date: Tue, 21 May 2013 16:40:40 +0200
Subject: [PATCH] webbuild-functions: filter web server REMOTE_* variables in
 cgi_getvars function for security

---
 webbuild/webbuild-functions | 1 +
 1 file changed, 1 insertion(+)

diff --git a/webbuild/webbuild-functions b/webbuild/webbuild-functions
index 21ece5a..50ea163 100644
--- a/webbuild/webbuild-functions
+++ b/webbuild/webbuild-functions
@@ -136,6 +136,7 @@ function cgi_getvars()
         p=`echo $q | sed "s|&.*||"`
         q=`echo $q | sed "s|[^&]*&||"`
 	k="${p%%=*}"  # get the key (variable name) from it
+	[ "$k" = "REMOTE_ADDR" -o "$k" = "REMOTE_HOST" -o "$k" = "REMOTE_PORT" -o "$k" = "REMOTE_USER" ] && continue
 	v="${p#*=}"   # get the value from it
         # decode and evaluate var if requested
         if [ "$k" != "SPECTEXT" ]; then