From 1f8c35b70bc1271a421fafba1c9d6d642a958831 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 28 May 2014 19:38:30 +0200
Subject: [PATCH] Fix: security

---
 htdocs/cashdesk/affContenu.php | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/htdocs/cashdesk/affContenu.php b/htdocs/cashdesk/affContenu.php
index b88c78ffb4d..ca471e0bdf4 100644
--- a/htdocs/cashdesk/affContenu.php
+++ b/htdocs/cashdesk/affContenu.php
@@ -54,16 +54,23 @@ print '</div>';
 
 print '<div class="principal">';
 
-if ( $_GET['menu'] )
+$page=GETPOST('menu','alpha');
+if (in_array(
+		$page,
+		array(
+			'deconnexion',
+			'index','index_verif','facturation','facturation_verif','facturation_dhtml',
+			'validation','validation_ok','validation_ticket','validation_verif',
+		)
+	))
 {
-	include $_GET['menu'].'.php';
+	include $page.'.php';
 }
 else
 {
-	include 'facturation.php';
+	dol_print_error('','menu param '.$page.' is not inside allowed list');
 }
 
 print '</div>';
 
 $_SESSION['serObjFacturation'] = serialize($obj_facturation);
-
-- 
GitLab