XML_RPC to 1.3.3
Fixing several bugs and vulnerabilities. (nohn)
+ * Fix possible exploit that sends comments to the blog owner and others
+ with arbitrary mailheaders and a link to invalid entries. Thanks to
+ Sebastian Raible! (garvinhicking)
+
* Allow plugins to contain more than one HTML nuggets which can be
WYSIWYGized. (garvinhicking)
}
// Fix special characters
- $fromName = str_replace(array('"'), array("'"), $fromName);
+ $fromName = str_replace(array('"', "\r", "\n"), array("'", '', ''), $fromName);
+ $fromMail = str_replace(array("\r","\n"), array('', ''), $fromMail);
/* Prefix all mail with weblog title */
$subject = '['. $serendipity['blogTitle'] . '] '. $subject;
$t = serendipity_db_escape_string(isset($commentInfo['time']) ? $commentInfo['time'] : time());
$referer = (isset($_SESSION['HTTP_REFERER']) ? serendipity_db_escape_string($_SESSION['HTTP_REFERER']) : '');
+ $query = "SELECT a.email, e.title, a.mail_comments, a.mail_trackbacks
+ FROM {$serendipity['dbPrefix']}entries e, {$serendipity['dbPrefix']}authors a
+ WHERE e.id = '". (int)$id ."'
+ AND e.authorid = a.authorid";
+ $row = serendipity_db_query($query, true); // Get info on author/entry
+ if (!is_array($row) || empty($id)) {
+ // No associated entry found.
+ return false;
+ }
+
if (isset($commentInfo['subscribe'])) {
$subscribe = 'true';
} else {
serendipity_db_query($query);
$cid = serendipity_db_insert_id('comments', 'id');
- $query = "SELECT a.email, e.title, a.mail_comments, a.mail_trackbacks
- FROM {$serendipity['dbPrefix']}entries e, {$serendipity['dbPrefix']}authors a
- WHERE e.id = '". (int)$id ."'
- AND e.authorid = a.authorid";
- $row = serendipity_db_query($query, true); // Get info on author/entry
-
// Send mail to the author if he chose to receive these mails, or if the comment is awaiting moderation
if (serendipity_db_bool($ca['moderate_comments'])
|| ($type == 'NORMAL' && serendipity_db_bool($row['mail_comments']))
projects / s9y.git / commitdiff