Index: openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl,v
diff -u -N -r1.368.2.132 -r1.368.2.133
--- openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl	13 Sep 2022 09:56:20 -0000	1.368.2.132
+++ openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl	4 Oct 2022 15:00:54 -0000	1.368.2.133
@@ -2685,9 +2685,26 @@
     set cc [::${:package_id} context]
 
     if {![info exists field_names]} {
-      set field_names [$cc array names form_parameter]
-      #:log "===== Page get_form_data field_names from form data: [$cc array names form_parameter *_.*]"
+      #
+      # Field names might come directly from the POST request payload
+      # and need to be validated: enforce that field names are made
+      # only by alphanumeric characters and dots, with the exception
+      # of file related fields, where either .tmpfile or .content-type
+      # will be appended.
+      #
+      set field_names [list]
+      foreach att [$cc array names form_parameter] {
+        if {[regexp {^[\w.]+(\.(tmpfile|content-type))?$} $att]} {
+          lappend field_names $att
+        } else {
+          #
+          # We might decide to return a 403 here instead...
+          #
+          ad_log warning "Page get_form_data: field name '$att' was skipped. Received field names: [$cc array names form_parameter]"
+        }
+      }
     }
+
     #:msg "fields $field_names // $form_fields"
     #foreach f $form_fields { :msg "... $f [$f name]" }
     #