From 021f2a02c574ff94a8a43d34c8359e4440ac1629 Mon Sep 17 00:00:00 2001
From: Jens Maus <mail@jens-maus.de>
Date: Fri, 17 Jun 2022 11:17:30 +0200
Subject: [PATCH] limit the update-check.cgi to parse for cmd=download and not
 parse arbitrary query string options.

---
 VERSION              | 2 +-
 www/update-check.cgi | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/VERSION b/VERSION
index 661e7ae..10c0880 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.7.3
+1.7.4
diff --git a/www/update-check.cgi b/www/update-check.cgi
index 84667fa..0622f28 100755
--- a/www/update-check.cgi
+++ b/www/update-check.cgi
@@ -7,8 +7,9 @@ catch {
   set input $env(QUERY_STRING)
   set pairs [split $input &]
   foreach pair $pairs {
-    if {0 != [regexp "^(\[^=]*)=(.*)$" $pair dummy varname val]} {
-      set $varname $val
+    if {$pair == "cmd=download"} {
+      set cmd "download"
+      break
     }
   }
 }