From 050875995c3adfe286efca1fdcddd5d2b90fe6d9 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Wed, 3 Aug 2011 07:18:17 +0000
Subject: [PATCH] fix problem reported by Fabio Ciuffani / John Leitch
 <john@autosectools.com>

---
 admin/remote.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/admin/remote.php b/admin/remote.php
index c55cff5757..f6333252e3 100644
--- a/admin/remote.php
+++ b/admin/remote.php
@@ -67,6 +67,7 @@ if (is_object($cmd))
 // check if requests contains a reasonable looking admin command to be queued
 if (!$_REQUEST['uid'] ||	// no uid
 	!$_REQUEST['type'] ||	// no command class name
+	!preg_match('/^[a-z0-9_]+$/i', $_REQUEST['type']) ||	// type is a (autoloadable) class name, prevent inclusion of arbitrary files
 	!$_REQUEST['creator_email'])	// no creator email
 {
 	header("HTTP/1.1 200 Bad format!");