From 182a6509e9bc2340718ccc00355a3667f350be59 Mon Sep 17 00:00:00 2001
From: D9ping <D9ping@users.noreply.github.com>
Date: Mon, 6 Aug 2018 15:02:57 +0200
Subject: [PATCH] Don't allow to read ini file everywhere on filesystem.

Signed-off-by: D9ping <D9ping@users.noreply.github.com>
---
 ajax/networking/get_int_config.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ajax/networking/get_int_config.php b/ajax/networking/get_int_config.php
index 5e1c9b8..d29ee73 100644
--- a/ajax/networking/get_int_config.php
+++ b/ajax/networking/get_int_config.php
@@ -5,8 +5,7 @@ include_once('../../includes/functions.php');
 
 
 if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
-    $int = $_POST['interface'];
-    // FIXME slashes and other forbidden filename characters not stripped. [security]
+    $int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);
     if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) {
         touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini');
     }