Fix SQL injection reported by Dr. Neal Krawetz

diff --git a/docs/NEWS b/docs/NEWS
index c8a4a9dc90a50f9848be9c838ae933fdb75449aa..0f4a05f1b6b6238e39e6b2754853406687f49825 100644 (file)
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -1,19 +1,22 @@
 # $Id$
 
-Version 1.1.3 ()
+Version 1.1.3 (June 17th, 2007)
 ------------------------------------------------------------------------
 
+    * Fix SQL injection through 'commentMode' variable. Thanks to
+      Dr. Neal Krawetz
+
     * Fix missing %username% permalink pattern in single entry view.
       Patch by cress_cc
-          
-Version 1.1.2 ()
+
+Version 1.1.2 (March 1st, 2007)
 ------------------------------------------------------------------------
 
     * Fix showing SQL error message when an empty category is selected
       for viewing. Fixes an issue reported by Samenspender that was
       falsely declard as SQL injection. In fact, no invalid SQL
       code can be injected. (garvinhicking)
-                
+
     * Better checks to see if the local PEAR inclusion is required
       (garvinhicking)
 
@@ -27,7 +30,7 @@ Version 1.1.1 (February 22nd, 2007)
 
     * Patch pingback receiving function to use proper Regexp, thanks to
       dhaun from the forums
-          
+
     * Make categories sidebar plugin properly return evaluated categories
       list to plugin_categories.tpl template. Currently, a hidden
       structure would only be displayed when not using custom template.
@@ -36,19 +39,19 @@ Version 1.1.1 (February 22nd, 2007)
     * Change order of trackback execution flow (again) to preserve
       references for plugins like Track Exits, when used in conjunction
       with the entryproperties cache (garvinhicking)
- 
+
     * Fixed a bug that prevented some entryproperty-plugins to execute
       on the entry detail pane. (garvinhicking, Dragonblast)
 
     * Fix a bug in sending the right login session cookies on Windows IIS
       servers. Major thanks to Shadowin from the forums!
-          
+
 Version 1.1 (December 28th, 2006)
 ------------------------------------------------------------------------
 
     * Fix better installer warning messages when directories have no
       write privileges and already exist. Thanks to wagwag!
-          
+
     * Small bugfixes: Allow to use different login credentials than the
       current HTTP Basic-Auth, if used. Order categories by name in
       single entry view (garvinhicking)
@@ -405,7 +408,7 @@ Version 1.0.4 (December 1st, 2006)
 
    * Fixed problem in trackbacks using a formatted link (like through
      trackexits plugin) to trackback to instead of the real one
-        
+
 Version 1.0.3 (November 7th, 2006)
 ------------------------------------------------------------------------
 

diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php
index 77e1dbba33ec764b77560f372f0e89f3679d6339..5dfe2dcea98312d4900ead43df51596344a13ff9 100644 (file)
--- a/include/functions_comments.inc.php
+++ b/include/functions_comments.inc.php
@@ -312,7 +312,7 @@ function serendipity_printComments($comments, $parentid = 0, $depth = 0, $trace
 function serendipity_printCommentsByAuthor() {
     global $serendipity;
 
-    $type      = $serendipity['GET']['commentMode'];
+    $type      = serendipity_db_escape_string($serendipity['GET']['commentMode']);
 
     if ($type == 'comments' || empty($type)) {
         $type = 'NORMAL';