From b52db895457e3b2470409a892e0de944e23ea4be Mon Sep 17 00:00:00 2001
From: Urban Müller
Date: Wed, 18 Nov 2015 15:39:20 +0100
Subject: security: whitelist legal chars

---
 itjs.class | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/itjs.class b/itjs.class
index c54abd3..8e79fad 100644
--- a/itjs.class
+++ b/itjs.class
@@ -134,9 +134,12 @@ static function filenames($filelist)
 		"PIE.htc" => "$libsearch/doc/PIE.htc",
 	);
 
-	foreach (array_filter(explode(",", basename($filelist))) as $file)
+	if (it::match("[^-\w.=?&,]", basename($filelist)))
+		it::error("bad filelist $filelist");
+
+	foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file)
 	{
-		$filenames = $special[$file] ?: (file_exists("$path/" . it::replace(array('[\?\x00].*' => ""), $file)) ? "$path/$file" : "$libsearch/itjs/$file");
+		$filenames = $special[$file] ?: (file_exists("$path/$file") ? "$path/$file" : "$libsearch/itjs/$file");
 
 		foreach (explode(",", $filenames) as $filename)
 			if (!$seen[$filename]++)
-- 
cgit v1.2.3