From 632e7d74e5c5dd3f772cc3e4ea01e9a611de79ca Mon Sep 17 00:00:00 2001
From: Harald Bamberger <harald.bamberger@technikum-wien.at>
Date: Thu, 11 Sep 2025 11:25:18 +0200
Subject: [PATCH] add validation

---
 .../controllers/api/frontend/v1/RouteInfo.php        | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/application/controllers/api/frontend/v1/RouteInfo.php b/application/controllers/api/frontend/v1/RouteInfo.php
index f9b4df7f3..78db3ba2c 100644
--- a/application/controllers/api/frontend/v1/RouteInfo.php
+++ b/application/controllers/api/frontend/v1/RouteInfo.php
@@ -35,7 +35,7 @@ class RouteInfo extends FHCAPI_Controller
 	{
 		$payload = json_decode($this->input->raw_input_stream);
 
-		if (isset($payload->app) && isset($payload->path))
+		if (isset($payload->app) && isset($payload->path) && $this->isValidApp($payload->app) && $this->isValidPath($payload->path))
 		{
 			$this->WebservicelogModel->insert(array(
 				'webservicetyp_kurzbz' => 'content',
@@ -47,4 +47,14 @@ class RouteInfo extends FHCAPI_Controller
 		}
 		$this->terminateWithSuccess(true);
 	}
+
+	protected function isValidApp($app)
+	{
+		return preg_match("/^[A-Za-z0-9\-_]+$/", $app);
+	}
+
+	protected function isValidPath($path)
+	{
+		return preg_match("/^[\/A-Za-z0-9_.\-~?%=&;]+$/", $path);
+	}
 }