Security fixes
This commit is contained in:
Garvin Hicking
parent
e09b2600c6
commit
19513cdf14
12
docs/NEWS
12
docs/NEWS
@ -35,6 +35,18 @@ Version 2.x.x (major) ()
|
||||
Version 2.1.3 ()
|
||||
------------------------------------------------------------------------
|
||||
|
||||
* Security: Prevent XSS possibility in "edit entries" panel.
|
||||
Thanks to @oreamnos and Hanno Boeck for reporting!
|
||||
|
||||
* Security: Disallow sending comment notifications and mails to more than one
|
||||
mail address. This could be used to approving opt-ins of requests
|
||||
that did not belong to the same email that was approved.
|
||||
Thanks to Hanno Boeck for reporting!
|
||||
|
||||
* Security: Remove exit.php open redirect, when not using the trackexits-
|
||||
plugin configured with Serendipity exit tracking.
|
||||
Thanks to Julio Cesar (from infosec.com.br) and Hanno Boeck for reporting!
|
||||
|
||||
* Fix SQL compatibility for creating of table "serendipity_groupconfig"
|
||||
|
||||
* Added new "legal" plugin property bag attribute to indicate
|
||||
|
||||
25
exit.php
25
exit.php
@ -4,7 +4,9 @@
|
||||
|
||||
include 'serendipity_config.inc.php';
|
||||
|
||||
$url = $serendipity['baseURL'];
|
||||
$url = $serendipity['baseURL'];
|
||||
$trust_url = false;
|
||||
$open_redir = false;
|
||||
|
||||
if (isset($_GET['url_id']) && !empty($_GET['url_id']) && isset($_GET['entry_id']) && !empty($_GET['entry_id'])) {
|
||||
|
||||
@ -14,6 +16,7 @@ if (isset($_GET['url_id']) && !empty($_GET['url_id']) && isset($_GET['entry_id']
|
||||
if (is_array($links) && isset($links['link'])) {
|
||||
// URL is valid. Track it.
|
||||
$url = str_replace('&', '&', $links['link']);
|
||||
$trust_url = true;
|
||||
serendipity_track_url('exits', $url, $_GET['entry_id']);
|
||||
} elseif (isset($_GET['url']) && !empty($_GET['url'])) {
|
||||
// URL is invalid. But a URL-location was sent, so we want to redirect the user kindly.
|
||||
@ -26,9 +29,23 @@ if (isset($_GET['url_id']) && !empty($_GET['url_id']) && isset($_GET['entry_id']
|
||||
}
|
||||
|
||||
if (serendipity_isResponseClean($url)) {
|
||||
header('HTTP/1.0 301 Moved Permanently');
|
||||
header('Status: 301 Moved Permanently');
|
||||
header('Location: ' . $url);
|
||||
if (serendipity_plugin_api::exists('serendipity_event_trackexits')) {
|
||||
// Get configuration of plugin
|
||||
$configValues = serendipity_db_query("SELECT value FROM {$serendipity['dbPrefix']}config WHERE name LIKE 'serendipity_event_trackexits:%/commentredirection'");
|
||||
if (is_array($configValues)) {
|
||||
foreach($configValues AS $configValue) {
|
||||
if ($configValue['value'] == 's9y') {
|
||||
$open_redir = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($trust_url || $open_redir) {
|
||||
header('HTTP/1.0 301 Moved Permanently');
|
||||
header('Status: 301 Moved Permanently');
|
||||
header('Location: ' . $url);
|
||||
}
|
||||
}
|
||||
exit;
|
||||
/* vim: set sts=4 ts=4 expandtab : */
|
||||
|
||||
@ -219,13 +219,13 @@ switch($serendipity['GET']['adminAction']) {
|
||||
$sort_import = array('perPage', 'ordermode', 'order');
|
||||
|
||||
foreach($filter_import AS $f_import) {
|
||||
serendipity_restoreVar($serendipity['COOKIE']['entrylist_filter_' . $f_import], $serendipity['GET']['filter'][$f_import]);
|
||||
$data["get_filter_$f_import"] = $serendipity['GET']['filter'][$f_import];
|
||||
serendipity_restoreVar($serendipity['COOKIE']['entrylist_filter_' . $f_import], serendipity_specialchars($serendipity['GET']['filter'][$f_import]));
|
||||
$data["get_filter_$f_import"] = serendipity_specialchars($serendipity['GET']['filter'][$f_import]);
|
||||
}
|
||||
|
||||
foreach($sort_import AS $s_import) {
|
||||
serendipity_restoreVar($serendipity['COOKIE']['entrylist_sort_' . $s_import], $serendipity['GET']['sort'][$s_import]);
|
||||
$data["get_sort_$s_import"] = $serendipity['GET']['sort'][$s_import];
|
||||
serendipity_restoreVar($serendipity['COOKIE']['entrylist_sort_' . $s_import], serendipity_specialchars($serendipity['GET']['sort'][$s_import]));
|
||||
$data["get_sort_$s_import"] = serendipity_specialchars($serendipity['GET']['sort'][$s_import]);
|
||||
}
|
||||
|
||||
$perPage = (!empty($serendipity['GET']['sort']['perPage']) ? $serendipity['GET']['sort']['perPage'] : $per_page[0]);
|
||||
|
||||
@ -1003,6 +1003,11 @@ function serendipity_saveComment($id, $commentInfo, $type = 'NORMAL', $source =
|
||||
|
||||
$commentInfo['type'] = $type;
|
||||
$commentInfo['source'] = $source;
|
||||
|
||||
// Secure email addresses, only one [first] allowed to not mail to multiple recipients
|
||||
$mailparts = explode(',', $commentInfo['email']);
|
||||
$commentInfo['email'] = trim($mailparts[0]);
|
||||
|
||||
serendipity_plugin_api::hook_event('frontend_saveComment', $ca, $commentInfo);
|
||||
if (!is_array($ca) || serendipity_db_bool($ca['allow_comments'])) {
|
||||
if ($GLOBALS['tb_logging']) {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user