From df1ec683f930734d7532bd3dc3b10c46da947748 Mon Sep 17 00:00:00 2001
From: Florent Bruneau <florent.bruneau@polytechnique.org>
Date: Fri, 1 Jun 2012 09:27:09 +0200
Subject: [PATCH] Validate content of reports made by clients.

Signed-off-by: Florent Bruneau <florent.bruneau@polytechnique.org>
---
 modules/core.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/modules/core.php b/modules/core.php
index d0168b2..af55a24 100644
--- a/modules/core.php
+++ b/modules/core.php
@@ -225,7 +225,15 @@ class CoreModule extends PLModule
     function handler_register_error($page)
     {
         if (S::has_xsrf_token() && Post::has('error') && Post::has('url')) {
-            PlErrorReport::report("Client error on " . Post::s('url') . ":\n\n" . Post::s('error'));
+            $error = Post::s('error');
+            if (strlen($error) > 20000) {
+                exit;
+            }
+            $json = @json_decode($error, true, 3);
+            if (!is_array($json) || count($json) === 0) {
+                exit;
+            }
+            PlErrorReport::report("Client error on " . Post::s('url') . ":\n\n" . $error);
         }
         exit;
     }
-- 
2.1.4