From c26c4a8bec66d8ea5882c42177ae27b9703e9a94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20SAUVAGE?= Date: Thu, 31 Oct 2013 22:53:22 +0100 Subject: [PATCH] arbitrary JSON file disclosure correction The following securit issue has been fixed: https://github.com/sebsauvage/ZeroBin/issues/30 --- lib/zerobin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/zerobin.php b/lib/zerobin.php index 89585dbc..19d63ba2 100644 --- a/lib/zerobin.php +++ b/lib/zerobin.php @@ -315,7 +315,7 @@ class zerobin $dataid = $_SERVER['QUERY_STRING']; // Is this a valid paste identifier? - if (preg_match('/[a-f\d]{16}/', $dataid)) + if (preg_match('\A[a-f\d]{16}\z', $dataid)) { // Check that paste exists. if ($this->_model()->exists($dataid))