From 51f477db88b14792ad0d036fb5ac2d740684a657 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Mon, 5 Jul 2021 12:39:50 +0200
Subject: [PATCH] Validate the `actionName` in MessageQuoteAction

---
 .../lib/action/MessageQuoteAction.class.php     | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/action/MessageQuoteAction.class.php b/wcfsetup/install/files/lib/action/MessageQuoteAction.class.php
index 64ed74ad7c..3be30d0f26 100644
--- a/wcfsetup/install/files/lib/action/MessageQuoteAction.class.php
+++ b/wcfsetup/install/files/lib/action/MessageQuoteAction.class.php
@@ -42,7 +42,22 @@ class MessageQuoteAction extends AJAXProxyAction {
 	public function readParameters() {
 		AbstractSecureAction::readParameters();
 		
-		if (isset($_POST['actionName'])) $this->actionName = StringUtil::trim($_POST['actionName']);
+		if (isset($_POST['actionName'])) {
+			$this->actionName = StringUtil::trim($_POST['actionName']);
+			
+			if (
+				!\in_array(
+					$this->actionName,
+					['count', 'getQuotes', 'markForRemoval', 'remove', 'removeMarkedQuotes']
+				)
+			) {
+				throw new UserInputException('actionName', 'invalid');
+			}
+		}
+		else {
+			throw new UserInputException('actionName');
+		}
+
 		if (isset($_POST['getFullQuoteObjectIDs'])) $this->_getFullQuoteObjectIDs = intval($_POST['getFullQuoteObjectIDs']);
 		if (isset($_POST['objectTypes']) && is_array($_POST['objectTypes'])) $this->objectTypes = ArrayUtil::trim($_POST['objectTypes']);
 		if (isset($_POST['quoteIDs'])) {
-- 
2.20.1