security: Ensure Session ID

JediKev · JediKev · commit c646c8cb86f0 · 2026-01-13T15:51:11.000-06:00
This ensures the session ID is of an acceptable format before sending to
`create()`.
diff --git a/include/class.ostsession.php b/include/class.ostsession.php
@@ -422,7 +422,7 @@ public static function lookupRecord($id, $autocreate = false,
         }
         catch (DoesNotExist $e) {
             // We're auto-creating model (unsaved) when one doesn't exist?
-            $record = $autocreate ? self::create($id) : null;
+            $record = ($autocreate && ctype_alnum($id)) ? self::create($id) : null;
         }
         catch (OrmException | Exception $ex) {
             // This could happen if more than one record exits in the

Original file line number	Diff line number	Diff line change
`@@ -422,7 +422,7 @@ public static function lookupRecord($id, $autocreate = false,`
`422`	`422`	`}`
`423`	`423`	`catch (DoesNotExist $e) {`
`424`	`424`	`// We're auto-creating model (unsaved) when one doesn't exist?`
`425`		`- $record = $autocreate ? self::create($id) : null;`
	`425`	`+ $record = ($autocreate && ctype_alnum($id)) ? self::create($id) : null;`
`426`	`426`	`}`
`427`	`427`	`catch (OrmException \| Exception $ex) {`
`428`	`428`	`// This could happen if more than one record exits in the`