From 647308216a53ea00fa84025bb6401f86646e9066 Mon Sep 17 00:00:00 2001
From: Guangcong Luo <guangcongluo@gmail.com>
Date: Mon, 16 Mar 2026 07:05:10 +0000
Subject: [PATCH] Fix security vuln

Special thanks to Mina for finding this
---
 play.pokemonshowdown.com/dirindex/dirindex.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/play.pokemonshowdown.com/dirindex/dirindex.php b/play.pokemonshowdown.com/dirindex/dirindex.php
index 5c281bf47..f989b4b55 100644
--- a/play.pokemonshowdown.com/dirindex/dirindex.php
+++ b/play.pokemonshowdown.com/dirindex/dirindex.php
@@ -749,6 +749,8 @@ if (function_exists('dirindex_intro')) {
 $has_sprites = false;
 $special_sprites = function_exists('dirindex_sprites');
 $view = $_GET['view'] ?? ($special_sprites ? 'sprites' : 'dir');
+if (!ctype_alnum($view)) die('Access denied; invalid view');
+
 if ($special_sprites || array_key_exists($rel_dir, $sprites_whitelist)) {
 	$has_sprites = true;
 	if ($view === 'sprites') {