From 8600f4fe31cd5483cb9bfd08046718cdfa50c1bb Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Fri, 7 Mar 2025 16:02:40 +0100
Subject: [PATCH] Window: Only accept valid window IDs

(cherry picked from commit 484bd26d63abef172d0354140adf9ce353c444e0)
---
 library/Icinga/Web/Window.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/Icinga/Web/Window.php b/library/Icinga/Web/Window.php
index 158483a06..76643f4c6 100644
--- a/library/Icinga/Web/Window.php
+++ b/library/Icinga/Web/Window.php
@@ -112,7 +112,7 @@ class Window
     {
         if (! isset(static::$window)) {
             $id = Icinga::app()->getRequest()->getHeader('X-Icinga-WindowId');
-            if (empty($id) || $id === static::UNDEFINED) {
+            if (empty($id) || $id === static::UNDEFINED || ! preg_match('/^\w+$/', $id)) {
                 Icinga::app()->getResponse()->setOverrideWindowId();
                 $id = static::generateId();
             }