--- awstats-6.3.orig/wwwroot/cgi-bin/awstats.pl	2005-01-22 11:34:38.000000000 -0500
+++ awstats-6.3.orig/wwwroot/cgi-bin/awstats.pl	2005-02-12 15:59:35.802871834 -0500
@@ -5368,9 +5368,9 @@ 
 	# No update but report by default when run from a browser
 	$UpdateStats=($QueryString=~/update=1/i?1:0);
 
-	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&DecodeEncodedString("$1"); }
+	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&DecodeEncodedString("$1"); $SiteConfig =~ s/[^\w_\-\\\/\.\s]//g }
 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&DecodeEncodedString("$1"); }
-	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize(&DecodeEncodedString("$1")); }
+	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&DecodeEncodedString("$1"); $PluginMode =~ s/[^\w_\-\\\/\.\s]//g }
 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
 	# All filters
 	if ($QueryString =~ /hostfilter=([^&]+)/i)			{ $FilterIn{'host'}=&DecodeEncodedString("$1"); }			# Filter on host list can also be defined with hostfilter=filter
@@ -5416,9 +5416,9 @@ 
 	# Update with no report by default when run from command line
 	$UpdateStats=1;
 
-	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig="$1"; }
+	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig="$1"; $SiteConfig =~ s/[^\w_\-\\\/\.\s]//g }
 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons="$1"; }
-	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize("$1"); }
+	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode="$1"; $PluginMode =~ s/[^\w_\-\\\/\.\s]//g }
 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize("$1"); }
 	# All filters
 	if ($QueryString =~ /hostfilter=([^&]+)/i)			{ $FilterIn{'host'}="$1"; }			# Filter on host list can also be defined with hostfilter=filter
@@ -5447,8 +5447,8 @@ 
 if ($QueryString =~ /(^|&)framename=([^&]+)/i)		{ $FrameName="$2"; }
 if ($QueryString =~ /(^|&)debug=(\d+)/i)			{ $Debug=$2; }
 if ($QueryString =~ /(^|&)updatefor=(\d+)/i)		{ $UpdateFor=$2; }
-if ($QueryString =~ /(^|&)noloadplugin=([^&]+)/i)	{ foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_")}=1; } }
-if ($QueryString =~ /(^|&)loadplugin=([^&]+)/i)		{ foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_")}=-1; } }
+if ($QueryString =~ /(^|&)noloadplugin=([^&]+)/i)	{ foreach (split(/,/,$2)) { s/[^\w_\-\\\/\.\s]//g; $NoLoadPlugin{"$_"}=1; } }
+if ($QueryString =~ /(^|&)loadplugin=([^&]+)/i)		{ foreach (split(/,/,$2)) { s/[^\w_\-\\\/\.\s]//g; $NoLoadPlugin{"$_"}=-1; } }
 if ($QueryString =~ /(^|&)limitflush=(\d+)/i)		{ $LIMITFLUSH=$2; }
 # Get/Define output
 if ($QueryString =~ /(^|&)output(=[^&]*|)(.*)&output(=[^&]*|)(&|$)/i) { error("Only 1 output option is allowed","","",1); }