14.0 fix CVE 2024 23817 (#28090)

* FIX CVE-2024-23817 * FIX syntax error --------- Co-authored-by: Regis Houssin <regis.houssin@inodbox.com>
Dolibarr · Feb 9, 2024 · 6a8be83 · 6a8be83
1 parent 662ab45
commit 6a8be83
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
@@ -1896,8 +1896,20 @@ function top_menu($head, $title = '', $target = '', $disablejs = 0, $disablehead
 
 			if (isset($_POST) && is_array($_POST)) {
 				foreach ($_POST as $key => $value) {
-					if ($key !== 'action' && $key !== 'password' && !is_array($value)) {
-						$qs .= '&'.$key.'='.urlencode($value);
+					$key = preg_replace('/[^a-z0-9_\-\[\]]/i', '', $key);
+					if (in_array($key, array('action', 'massaction', 'password'))) {
+						continue;
+					}
+					if (!is_array($value)) {
+						if ($value !== '') {
+							$qs .= '&'.$key.'='.urlencode($value);
+						}
+					} else {
+						foreach ($value as $value2) {
+							if (($value2 !== '') && (!is_array($value2))) {
+								$qs .= '&'.$key.'[]='.urlencode($value2);
+							}
+						}
 					}
 				}
 			}