From 5309338c286e2d148963d6bdbe7c4a40e746a3ce Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Sat, 30 Dec 2017 17:27:42 +0100
Subject: [PATCH] Added regex check for next_tab variable in form handler.

---
 interface/lib/classes/tform.inc.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php
index 503bd24eb8..b28e503224 100644
--- a/interface/lib/classes/tform.inc.php
+++ b/interface/lib/classes/tform.inc.php
@@ -115,11 +115,18 @@ class tform extends tform_base {
 			// Show the same tab again in case of an error
 			$active_tab = $_SESSION["s"]["form"]["tab"];
 		}
+		
+		if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$active_tab)) {
+			die('Invalid next tab name.');
+		}
 
 		return $active_tab;
 	}
 
 	function getCurrentTab() {
+		if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$_SESSION["s"]["form"]["tab"])) {
+			die('Invalid current tab name.');
+		}
 		return $_SESSION["s"]["form"]["tab"];
 	}
 
-- 
GitLab