From c2ec0439df79ed6e906b0821d8fba8166a55b183 Mon Sep 17 00:00:00 2001
From: Alexander <alexlehm@cosmic.voyage>
Date: Thu, 26 Jan 2023 18:39:24 +0000
Subject: [PATCH] validate page parameter to be a local filename

---
 wiki/index.php | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/wiki/index.php b/wiki/index.php
index b445e05..adb23ff 100644
--- a/wiki/index.php
+++ b/wiki/index.php
@@ -17,7 +17,17 @@ $additional_head = "
 
 $parser = wiki::factory(true);
 
-if (!isset($_GET["page"]) || !file_exists("pages/{$_GET['page']}.md")) {
+if(isset($_GET["page"])) {
+    $page=$_GET["page"];
+} else {
+    $page="";
+}
+
+if(preg_match("/[^a-z0-9_-]/", $page)) {
+    $page="";
+}
+
+if ($page=="" || !file_exists("pages/$page.md")) {
 
     $title = "tilde.chat~wiki";
     $additional_head .= "
@@ -73,7 +83,7 @@ if (!isset($_GET["page"]) || !file_exists("pages/{$_GET['page']}.md")) {
 
 } else {
 
-    $pg = $parser->parse(file_get_contents("pages/{$_GET["page"]}.md"));
+    $pg = $parser->parse(file_get_contents("pages/$page.md"));
     $yml = $pg->getYAML();
     $title = $yml['title'] . " | tilde.chat~wiki";
     $description = $yml['description'] ?? "tilde.chat wiki article {$yml['title']}";
@@ -91,7 +101,7 @@ if (!isset($_GET["page"]) || !file_exists("pages/{$_GET['page']}.md")) {
     <hr>
         <?=$pg->getContent()?>
     <hr>
-    <a href="https://tildegit.org/tildeverse/tilde.chat/src/branch/master/wiki/pages/<?=$_GET["page"]?>.md">
+    <a href="https://tildegit.org/tildeverse/tilde.chat/src/branch/master/wiki/pages/<?=$page?>.md">
         <i class="fa fa-edit"></i> source
     </a>