Fix: security

1f8c35b7 · Laurent Destailleur · baa57343 · 1f8c35b7
Commit 1f8c35b7 authored 10 years ago by Laurent Destailleur
--- a/htdocs/cashdesk/affContenu.php
+++ b/htdocs/cashdesk/affContenu.php
@@ -54,16 +54,23 @@ print '</div>';
 print '<div class="principal">';
-if ( $_GET['menu'] )
+$page=GETPOST('menu','alpha');
+if (in_array(
+		$page,
+		array(
+			'deconnexion',
+			'index','index_verif','facturation','facturation_verif','facturation_dhtml',
+			'validation','validation_ok','validation_ticket','validation_verif',
+		)
+	))
 {
-	include $_GET['menu'].'.php';
+	include $page.'.php';
 }
 else
 {
-	include 'facturation.php';
+	dol_print_error('','menu param '.$page.' is not inside allowed list');
 }
 print '</div>';
 $_SESSION['serObjFacturation'] = serialize($obj_facturation);