From e3ebc766e523d6ca530bd9869bff7c838467dbb7 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Sat, 11 Apr 2026 21:08:55 -0400
Subject: [PATCH] Fix open redirect in legacy ticket.php URL handler

The /ticket.php?id=VALUE redirect did not validate the id parameter,
allowing path traversal (e.g. ?id=../admin) or other unexpected values
in the Location header. Added ctype_digit validation so only positive
numeric IDs are redirected to /ticket/N; anything else falls back to /.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 index.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/index.php b/index.php
index 399d757..5a93fa8 100644
--- a/index.php
+++ b/index.php
@@ -400,7 +400,12 @@ switch (true) {
         exit;
         
     case preg_match('/^\/ticket\.php/', $requestPath) && isset($_GET['id']):
-        header("Location: /ticket/" . $_GET['id']);
+        $legacyId = (string)$_GET['id'];
+        if (ctype_digit($legacyId) && (int)$legacyId > 0) {
+            header("Location: /ticket/" . $legacyId);
+        } else {
+            header("Location: /");
+        }
         exit;
         
     default: