From 6bcc95a20d41beb3535d3724dd012cdf5b40a575 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Tue, 24 Feb 2015 15:05:44 +0100
Subject: [PATCH] Restricting evaluated code variable names to Python valid
 characters ([_0-9a-zA-Z])

---
 lib/request/connect.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/request/connect.py b/lib/request/connect.py
index ef7cd40fe..b0427b18b 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -848,7 +848,7 @@ class Connect(object):
                 for part in item.split(delimiter):
                     if '=' in part:
                         name, value = part.split('=', 1)
-                        name = name.strip()
+                        name = re.sub(r"[^\w]", "", name.strip())
                         if name in keywords:
                             name = "%s%s" % (name, EVALCODE_KEYWORD_SUFFIX)
                         value = urldecode(value, convall=True, plusspace=(item==post and kb.postSpaceToPlus))
@@ -858,7 +858,7 @@ class Connect(object):
                 for part in cookie.split(conf.cookieDel or DEFAULT_COOKIE_DELIMITER):
                     if '=' in part:
                         name, value = part.split('=', 1)
-                        name = name.strip()
+                        name = re.sub(r"[^\w]", "", name.strip())
                         if name in keywords:
                             name = "%s%s" % (name, EVALCODE_KEYWORD_SUFFIX)
                         value = urldecode(value, convall=True)