From cf938cd91576cbc01b7e2308cac2ef1cdb8475b6 Mon Sep 17 00:00:00 2001
From: Thibaut Ackermann <thibaut.ackermann@al-enterprise.com>
Date: Tue, 7 May 2019 11:23:29 +0200
Subject: [PATCH] fix the webadmin ip permission add/delete sql injection

---
 src/apps/relay/turn_admin_server.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c
index 7e03964..dade161 100644
--- a/src/apps/relay/turn_admin_server.c
+++ b/src/apps/relay/turn_admin_server.c
@@ -3230,6 +3230,8 @@ static void handle_update_request(ioa_socket_handle s, struct http_request* hr)
 
 					if(current_realm()[0] && strcmp(current_realm(),r)) {
 						//forbidden
+					} else if (strcmp(kind, "allowed") != 0 && strcmp(kind, "denied") != 0) {
+						//forbidden
 					} else {
 
 						uint8_t realm[STUN_MAX_REALM_SIZE+1]="\0";
@@ -3263,6 +3265,8 @@ static void handle_update_request(ioa_socket_handle s, struct http_request* hr)
 
 						if(current_realm()[0] && strcmp(current_realm(),r)) {
 							//forbidden
+						} else if (strcmp(kind, "allowed") != 0 && strcmp(kind, "denied") != 0) {
+							//forbidden
 						} else {
 
 							uint8_t realm[STUN_MAX_REALM_SIZE+1]="\0";