From fb69347ea7a9507477b4c8d043f76dc4d119beba Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Fri, 9 Feb 2024 11:24:57 +0100
Subject: [PATCH] FIX CVE-2024-23817 (#28089)

* FIX CVE-2024-23817

* FIX syntax error
---
 htdocs/main.inc.php | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index d541f3abce5..c1d797a6e2b 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -1926,8 +1926,20 @@ function top_menu($head, $title = '', $target = '', $disablejs = 0, $disablehead
 
 			if (isset($_POST) && is_array($_POST)) {
 				foreach ($_POST as $key => $value) {
-					if ($key !== 'action' && $key !== 'password' && !is_array($value)) {
-						$qs .= '&'.$key.'='.urlencode($value);
+					$key = preg_replace('/[^a-z0-9_\-\[\]]/i', '', $key);
+					if (in_array($key, array('action', 'massaction', 'password'))) {
+						continue;
+					}
+					if (!is_array($value)) {
+						if ($value !== '') {
+							$qs .= '&'.$key.'='.urlencode($value);
+						}
+					} else {
+						foreach ($value as $value2) {
+							if (($value2 !== '') && (!is_array($value2))) {
+								$qs .= '&'.$key.'[]='.urlencode($value2);
+							}
+						}
 					}
 				}
 			}