MFH

diff --git a/main/rfc1867.c b/main/rfc1867.c
index 1c2adef9a616dec0c41af8fb5b6cd17f7ab54c0f..b6604d04d7954e2877829526037abae26f7a437c 100644 (file)
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -932,6 +932,25 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
                                }
                                SAFE_RETURN;
                        }
+                       
+                       /* New Rule: never repair potential malicious user input */
+                       if (!skip_upload) {
+                               char *tmp = param;
+                               long c = 0;
+                               
+                               while (*tmp) {
+                                       if (*tmp == '[') {
+                                               c++;
+                                       } else if (*tmp == ']') {
+                                               c--;
+                                       }
+                                       if (c < 0) {
+                                               skip_upload = 1;
+                                               break;
+                                       }
+                                       tmp++;                          
+                               }
+                       }
 
                        if (!skip_upload) {
                                /* Handle file */
@@ -1000,10 +1019,6 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
                         * start_arr is set to point to 1st [
                         */
                        is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
-                       /* handle unterminated [ */
-                       if (!is_arr_upload && start_arr) {
-                               *start_arr = '_';
-                       }
 
                        if (is_arr_upload) {
                                array_len = strlen(start_arr);