Change param filter for user queries

Before, the filter was based on a blacklist so the user could add something and have unwanted behavior.
Now, the filter is based on a whilelist so the user can use only predetermined parameters.

1 files changed, 6 insertions, 7 deletions

diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php
index a44ef3104..2bd13997f 100755
--- a/app/Controllers/configureController.php
+++ b/app/Controllers/configureController.php
@@ -493,18 +493,17 @@ class FreshRSS_configure_Controller extends Minz_ActionController {
 	 * It gets the GET parameters and stores them in the configuration query
 	 * storage. Before it is saved, the unwanted parameters are unset to keep
 	 * lean data.
-	 *
-	 * @todo change the way of keeping lean data to have a more defensive
-	 *       code. At the moment, the code accepts any parameters and discard
-	 *       those on the black list. I think it is safer if we maintain a
-	 *       whitelist instead.
 	 */
 	public function addQueryAction() {
+		$whitelist = array('get', 'order', 'name', 'search', 'state');
 		$queries = $this->view->conf->queries;
 		$query = Minz_Request::params();
 		$query['name'] = _t('query_number', count($queries) + 1);
-		unset($query['output']);
-		unset($query['token']);
+		foreach ($query as $key => $value) {
+			if (!in_array($key, $whitelist)) {
+				unset($query[$key]);
+			}
+		}
 		$queries[] = $query;
 		$this->view->conf->_queries($queries);
 		$this->view->conf->save();