-if ($reasonnum == -1) {
- $reasonnum = {
- 'typenum' => scalar( $cgi->param('newreasonnumT') ),
- 'reason' => scalar( $cgi->param('newreasonnum' ) ),
- };
+#untaint reasonnum
+my $reasonnum = $cgi->param('reasonnum');
+if ( $method ne 'unsuspend' ) { #i.e. 'resume'
+ $reasonnum =~ /^(-?\d+)$/ or die "Illegal reasonnum";
+ $reasonnum = $1;
+
+ if ($reasonnum == -1) {
+ $reasonnum = {
+ 'typenum' => scalar( $cgi->param('newreasonnumT') ),
+ 'reason' => scalar( $cgi->param('newreasonnum' ) ),
+ };
+ }