From 20e33bb6c31ae787b89d1b03c23816d1f668b425 Mon Sep 17 00:00:00 2001
From: Sam Minnee <sam@silverstripe.com>
Date: Tue, 20 Jan 2009 01:29:11 +0000
Subject: [PATCH] BUGFIX: URL input validation for RestfulServer

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@70376 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 api/RestfulServer.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/api/RestfulServer.php b/api/RestfulServer.php
index ad701a38f..139b91ed1 100644
--- a/api/RestfulServer.php
+++ b/api/RestfulServer.php
@@ -137,6 +137,11 @@ class RestfulServer extends Controller {
 		$id = (isset($this->urlParams['ID'])) ? $this->urlParams['ID'] : null;
 		$relation = (isset($this->urlParams['Relation'])) ? $this->urlParams['Relation'] : null;
 		
+		// Check input formats
+		if(!class_exists($className)) return $this->notFound();
+		if($id && !is_numeric($id)) return $this->notFound();
+		if($relation && !preg_match('/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/', $relation)) return $this->notFound();
+		
 		// if api access is disabled, don't proceed
 		$apiAccess = singleton($className)->stat('api_access');
 		if(!$apiAccess) return $this->permissionFailure();