===================================================================
RCS file: /cvs/cvsweb/cvsweb.cgi,v
retrieving revision 4.8
retrieving revision 4.9
diff -u -p -r4.8 -r4.9
--- cvsweb/cvsweb.cgi	2019/11/09 09:41:07	4.8
+++ cvsweb/cvsweb.cgi	2019/11/09 10:06:23	4.9
@@ -1,5 +1,5 @@
 #!/usr/bin/perl
-# $Id: cvsweb.cgi,v 4.8 2019/11/09 09:41:07 schwarze Exp $
+# $Id: cvsweb.cgi,v 4.9 2019/11/09 10:06:23 schwarze Exp $
 # $knu: cvsweb.cgi,v 1.299 2010/11/13 16:37:18 simon
 #
 # cvsweb - a CGI interface to CVS trees.
@@ -358,9 +358,17 @@ if (defined($ENV{QUERY_STRING})) {
     $p =~ y/+/ /;
     my ($key, $val) = split(/=/, $p, 2);
     next unless defined($key);
-    $val = 1 unless defined($val);
-    ($key = uri_unescape($key)) =~ /[[:graph:]]/ or next;
-    ($val = uri_unescape($val)) =~ /[[:graph:]]/ or next;
+    $key = uri_unescape($key);
+    $key =~ /([^a-z_12-])/ and fatal('404 Not Found',
+      'Invalid character "%s" in query parameter "%s"', $1, $key);
+    if (defined $val) {
+      $val = uri_unescape($val);
+      $val =~ /([^a-zA-Z_01-9.\/-])/ and fatal('404 Not Found',
+        'Invalid character "%s" in the value "%s" of the query parameter "%s"',
+        $1, $value, $key);
+    } else {
+      $val = 1;
+    }
     $query{$key} = $val;
   }
 }