commit c283cbd8393118d94abea6dcfb5d498c215e14a4
parent 698e2827d57838bef4d5ffea56289ce4159a1b2a
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Sun, 15 Feb 2026 19:50:43 +0100
fix #11083: reject data_source not starting with '/' when creating report
Diffstat:
2 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/src/backend/taler-merchant-httpd_private-patch-report-ID.c b/src/backend/taler-merchant-httpd_private-patch-report-ID.c
@@ -89,6 +89,15 @@ TMH_private_patch_report (const struct TMH_RequestHandler *rh,
: MHD_NO;
}
}
+ if ('/' != data_source[0])
+ {
+ GNUNET_break_op (0);
+ return TALER_MHD_reply_with_error (connection,
+ MHD_HTTP_BAD_REQUEST,
+ TALER_EC_GENERIC_PARAMETER_MALFORMED,
+ "data_source");
+
+ }
qs = TMH_db->update_report (TMH_db->cls,
hc->instance->settings.id,
diff --git a/src/backend/taler-merchant-httpd_private-post-reports.c b/src/backend/taler-merchant-httpd_private-post-reports.c
@@ -98,6 +98,15 @@ TMH_private_post_reports (const struct TMH_RequestHandler *rh,
}
GNUNET_free (section);
}
+ if ('/' != data_source[0])
+ {
+ GNUNET_break_op (0);
+ return TALER_MHD_reply_with_error (connection,
+ MHD_HTTP_BAD_REQUEST,
+ TALER_EC_GENERIC_PARAMETER_MALFORMED,
+ "data_source");
+
+ }
qs = TMH_db->insert_report (TMH_db->cls,
hc->instance->settings.id,
program_section,
