From 6a8be838be264eb2176b6f67839e0b63f0e05b0c Mon Sep 17 00:00:00 2001
From: thomas-Ngr <tnegre@open-dsi.fr>
Date: Fri, 9 Feb 2024 11:37:55 +0100
Subject: [PATCH] 14.0 fix CVE 2024 23817 (#28090)

* FIX CVE-2024-23817

* FIX syntax error

---------

Co-authored-by: Regis Houssin <regis.houssin@inodbox.com>
---
 htdocs/main.inc.php | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 2e377a3571f..bec74efd549 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -1896,8 +1896,20 @@ function top_menu($head, $title = '', $target = '', $disablejs = 0, $disablehead
 
 			if (isset($_POST) && is_array($_POST)) {
 				foreach ($_POST as $key => $value) {
-					if ($key !== 'action' && $key !== 'password' && !is_array($value)) {
-						$qs .= '&'.$key.'='.urlencode($value);
+					$key = preg_replace('/[^a-z0-9_\-\[\]]/i', '', $key);
+					if (in_array($key, array('action', 'massaction', 'password'))) {
+						continue;
+					}
+					if (!is_array($value)) {
+						if ($value !== '') {
+							$qs .= '&'.$key.'='.urlencode($value);
+						}
+					} else {
+						foreach ($value as $value2) {
+							if (($value2 !== '') && (!is_array($value2))) {
+								$qs .= '&'.$key.'[]='.urlencode($value2);
+							}
+						}
 					}
 				}
 			}