API: sanitize username

https://github.com/marienfressinaud/FreshRSS/issues/13
author: Alexandre Alapetite <alexandre@alapetite.fr> 2014-02-27 23:53:06 +0100
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2014-02-27 23:53:06 +0100
commit: d79da54c984fb4bb94bf4226d4318bfd408628db (patch)
tree: 3eb5918c7707ae645f5a5959af0e736ccea0856a /p/api
parent: ed27a69c3aa9a93552cebb587cf211a137fb71ca (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/p/api/greader.php b/p/api/greader.php
index 4122b12b9..291bcdf1f 100644
--- a/p/api/greader.php
+++ b/p/api/greader.php
@@ -124,7 +124,10 @@ function authorizationToUser() {
 	if ($headerAuth != '') {
 		$headerAuthX = explode('/', $headerAuth, 2);
 		if ((count($headerAuthX) === 2) && ($headerAuthX[1] === TEMP_AUTH)) {
-			return $headerAuthX[0];
+			$user = $headerAuthX[0];
+			if (ctype_alnum($user)) {
+				return $user;
+			}
 		}
 	}
 	return null;
author	Alexandre Alapetite <alexandre@alapetite.fr>	2014-02-27 23:53:06 +0100
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2014-02-27 23:53:06 +0100
commit	d79da54c984fb4bb94bf4226d4318bfd408628db (patch)
tree	3eb5918c7707ae645f5a5959af0e736ccea0856a /p/api
parent	ed27a69c3aa9a93552cebb587cf211a137fb71ca (diff)