From 9c29702f71a36407718ae18dbdd6ca543fe2072c Mon Sep 17 00:00:00 2001 From: garvinhicking Date: Mon, 25 Jul 2005 15:23:59 +0000 Subject: [PATCH] backport --- docs/NEWS | 4 ++++ include/functions.inc.php | 3 ++- include/functions_comments.inc.php | 16 ++++++++++------ 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/docs/NEWS b/docs/NEWS index c656dd4..521e991 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -14,6 +14,10 @@ Version 0.8.3 () XML_RPC to 1.3.3 Fixing several bugs and vulnerabilities. (nohn) + * Fix possible exploit that sends comments to the blog owner and others + with arbitrary mailheaders and a link to invalid entries. Thanks to + Sebastian Raible! (garvinhicking) + * Allow plugins to contain more than one HTML nuggets which can be WYSIWYGized. (garvinhicking) diff --git a/include/functions.inc.php b/include/functions.inc.php index 3a13173..73f2df6 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -169,7 +169,8 @@ function serendipity_sendMail($to, $subject, $message, $fromMail, $headers = NUL } // Fix special characters - $fromName = str_replace(array('"'), array("'"), $fromName); + $fromName = str_replace(array('"', "\r", "\n"), array("'", '', ''), $fromName); + $fromMail = str_replace(array("\r","\n"), array('', ''), $fromMail); /* Prefix all mail with weblog title */ $subject = '['. $serendipity['blogTitle'] . '] '. $subject; diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php index 6213094..ceddb43 100644 --- a/include/functions_comments.inc.php +++ b/include/functions_comments.inc.php @@ -331,6 +331,16 @@ function serendipity_saveComment($id, $commentInfo, $type = 'NORMAL', $source = $t = serendipity_db_escape_string(isset($commentInfo['time']) ? $commentInfo['time'] : time()); $referer = (isset($_SESSION['HTTP_REFERER']) ? serendipity_db_escape_string($_SESSION['HTTP_REFERER']) : ''); + $query = "SELECT a.email, e.title, a.mail_comments, a.mail_trackbacks + FROM {$serendipity['dbPrefix']}entries e, {$serendipity['dbPrefix']}authors a + WHERE e.id = '". (int)$id ."' + AND e.authorid = a.authorid"; + $row = serendipity_db_query($query, true); // Get info on author/entry + if (!is_array($row) || empty($id)) { + // No associated entry found. + return false; + } + if (isset($commentInfo['subscribe'])) { $subscribe = 'true'; } else { @@ -343,12 +353,6 @@ function serendipity_saveComment($id, $commentInfo, $type = 'NORMAL', $source = serendipity_db_query($query); $cid = serendipity_db_insert_id('comments', 'id'); - $query = "SELECT a.email, e.title, a.mail_comments, a.mail_trackbacks - FROM {$serendipity['dbPrefix']}entries e, {$serendipity['dbPrefix']}authors a - WHERE e.id = '". (int)$id ."' - AND e.authorid = a.authorid"; - $row = serendipity_db_query($query, true); // Get info on author/entry - // Send mail to the author if he chose to receive these mails, or if the comment is awaiting moderation if (serendipity_db_bool($ca['moderate_comments']) || ($type == 'NORMAL' && serendipity_db_bool($row['mail_comments'])) -- 2.39.5