From d79da54c984fb4bb94bf4226d4318bfd408628db Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Thu, 27 Feb 2014 23:53:06 +0100
Subject: API: sanitize username

https://github.com/marienfressinaud/FreshRSS/issues/13
---
 p/api/greader.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'p/api')

diff --git a/p/api/greader.php b/p/api/greader.php
index 4122b12b9..291bcdf1f 100644
--- a/p/api/greader.php
+++ b/p/api/greader.php
@@ -124,7 +124,10 @@ function authorizationToUser() {
 	if ($headerAuth != '') {
 		$headerAuthX = explode('/', $headerAuth, 2);
 		if ((count($headerAuthX) === 2) && ($headerAuthX[1] === TEMP_AUTH)) {
-			return $headerAuthX[0];
+			$user = $headerAuthX[0];
+			if (ctype_alnum($user)) {
+				return $user;
+			}
 		}
 	}
 	return null;
-- 
cgit v1.2.3