From 60fb627ad909fbef7ede75613567099c622108b3 Mon Sep 17 00:00:00 2001
From: Tanguy Pruvot <tanguy.pruvot@gmail.com>
Date: Tue, 10 Apr 2018 11:03:01 +0200
Subject: [PATCH] security: be more strict with algo param

---
 web/yaamp/core/common/util.php            | 6 ++++++
 web/yaamp/modules/site/SiteController.php | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/web/yaamp/core/common/util.php b/web/yaamp/core/common/util.php
index d494035..6bc6462 100644
--- a/web/yaamp/core/common/util.php
+++ b/web/yaamp/core/common/util.php
@@ -54,6 +54,12 @@ function getiparam($p,$default=0)
 	return isset($_REQUEST[$p]) ? intval($_REQUEST[$p]) : $default;
 }
 
+function getalgoparam()
+{
+	$algo = strip_tags(substr(getparam('algo'), 0, 32));
+	return $algo;
+}
+
 //////////////////////////////////////////////////////
 
 function downloadFile($url, &$size)
diff --git a/web/yaamp/modules/site/SiteController.php b/web/yaamp/modules/site/SiteController.php
index e4c265d..80cf6a5 100644
--- a/web/yaamp/modules/site/SiteController.php
+++ b/web/yaamp/modules/site/SiteController.php
@@ -1077,7 +1077,7 @@ class SiteController extends CommonController
 		$this->goback();
 	}
 
-    public function actionCancelorder()
+	public function actionCancelorder()
 	{
 		if(!$this->admin) return;
 		$order = getdbo('db_orders', getiparam('id'));
@@ -1091,7 +1091,7 @@ class SiteController extends CommonController
 
 	public function actionAlgo()
 	{
-		$algo = substr(getparam('algo'), 0, 32);
+		$algo = getalgoparam();
 		$a = getdbosql('db_algos', "name=:name", array(':name'=>$algo));
 
 		if($a)
@@ -1108,7 +1108,7 @@ class SiteController extends CommonController
 
 	public function actionGomining()
 	{
-		$algo = substr(getparam('algo'), 0, 32);
+		$algo = getalgoparam();
 		if ($algo == 'all') {
 			return;
 		}