functions.php: url parsing checks in distromatic pages to prevent security issues

functions.php

@@ -63,17 +63,29 @@ function set_title($title) {
       parse_str($urlargs, $args);
       $newtitle = $title;
       if ($args['arch']) {
-         $newtitle = $args['arch'] . " - " . $newtitle;
+         if (preg_match('/^[a-zA-Z0-9._]*$/', $args['arch'])) {
+             $newtitle = urlencode($args['arch']) . " - " . $newtitle;
+         } else {
+             $newtitle = " Invalid request - " . $newtitle;
+         }
       }
       if ($args['tag']) {
-         $newtitle  = $args['tag'] . " - " . $newtitle;
+         if (preg_match('/^[a-zA-Z0-9._-]*$/', $args['tag'])) {
+            $newtitle  = urlencode($args['tag']) . " - " . $newtitle;
+         } else {
+             $newtitle = " Invalid request - " . $newtitle;
+         }
       }
       if ($args['pkg']) {
          if ($args['pkg'] == '_index')
             $newtitle = 'Index - ' . $newtitle;
          else {
-            $e = explode('.', $args['pkg']);
+            if (preg_match('/^[a-zA-Z0-9._+-]*$/', $args['pkg'])) {
+               $e = explode('.', urlencode($args['pkg']));
                $newtitle = $e[0] . " - " . $e[1] . " - " . $newtitle;
+            } else {
+               $newtitle = " Invalid request - " . $newtitle;
+            }
          }
       }
       return $newtitle;
@@ -267,10 +279,14 @@ function openmamba_distroquery_func() {
    else
       $outputlang = "en_US.UTF-8";
 
+   if (preg_match('/^[a-zA-Z0-9._\=\-\+\/\.\&\:]*$/', $urlargs)) {
        $ret = "<div id=\"noajax_msg\"></div>";
        $ret .= "<span id=\"queryform\">Loading, please wait...</span><br>";
        $ret .= "<span id=\"querystatus\"></span><br><span id=\"queryreply\">&nbsp;</span>";
        $ret .= "<script>$(document).ready(function(){ distroquery_request(\"" . $urlargs . "\"); })</script>";
+   } else {
+      $ret = "<span id=\"distromatic\">" . __("Invalid request.", "responsive") . "</span><br>";
+   }
 
    return $ret;
 }
@@ -289,8 +305,12 @@ function openmamba_distromatic_func() {
    else
       $outputlang = "en_US.UTF-8";
 
+   if (preg_match('/^[a-zA-Z0-9._\=\-\+\/\.\&\:]*$/', $urlargs)) {
       $ret = "<span id=\"distromatic\">" . __("Loading, please wait...", "responsive") . "</span><br>";
       $ret .= "<script>$(document).ready(function(){ $('#distromatic').load('/distribution/distromatic.naked.html?" . $urlargs . "'); })</script>";
+   } else {
+      $ret = "<span id=\"distromatic\">" . __("Invalid request.", "responsive") . "</span><br>";
+   }
 
    return $ret;
 }
@@ -303,8 +323,12 @@ function openmamba_showfile_func() {
       $urlargs = substr($_SERVER['REQUEST_URI'], $urlargspos + 1);
    }
 
+   if (preg_match('/^[a-zA-Z0-9._\=\-\+\/\.\&\:]*$/', $urlargs)) {
       $ret = "<span id=\"distromatic\">" . "Loading, please wait..." . "</span><br>";
       $ret .= "<script>$(document).ready(function(){ $('#distromatic').load('/distribution/showfile.naked.html?" . $urlargs . "'); })</script>";
+   } else {
+      $ret = "<span id=\"distromatic\">" . __("Invalid request.", "responsive") . "</span><br>";
+   }
 
    return $ret;
 }