diff --git a/docs/NEWS b/docs/NEWS index 01329dd4..5999624e 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -35,6 +35,18 @@ Version 2.x.x (major) () Version 2.1.3 () ------------------------------------------------------------------------ + * Security: Prevent XSS possibility in "edit entries" panel. + Thanks to @oreamnos and Hanno Boeck for reporting! + + * Security: Disallow sending comment notifications and mails to more than one + mail address. This could be used to approving opt-ins of requests + that did not belong to the same email that was approved. + Thanks to Hanno Boeck for reporting! + + * Security: Remove exit.php open redirect, when not using the trackexits- + plugin configured with Serendipity exit tracking. + Thanks to Julio Cesar (from infosec.com.br) and Hanno Boeck for reporting! + * Fix SQL compatibility for creating of table "serendipity_groupconfig" * Added new "legal" plugin property bag attribute to indicate diff --git a/exit.php b/exit.php index d8a09be5..55205bb2 100644 --- a/exit.php +++ b/exit.php @@ -4,7 +4,9 @@ include 'serendipity_config.inc.php'; -$url = $serendipity['baseURL']; +$url = $serendipity['baseURL']; +$trust_url = false; +$open_redir = false; if (isset($_GET['url_id']) && !empty($_GET['url_id']) && isset($_GET['entry_id']) && !empty($_GET['entry_id'])) { @@ -14,6 +16,7 @@ if (isset($_GET['url_id']) && !empty($_GET['url_id']) && isset($_GET['entry_id'] if (is_array($links) && isset($links['link'])) { // URL is valid. Track it. $url = str_replace('&', '&', $links['link']); + $trust_url = true; serendipity_track_url('exits', $url, $_GET['entry_id']); } elseif (isset($_GET['url']) && !empty($_GET['url'])) { // URL is invalid. But a URL-location was sent, so we want to redirect the user kindly. @@ -26,9 +29,23 @@ if (isset($_GET['url_id']) && !empty($_GET['url_id']) && isset($_GET['entry_id'] } if (serendipity_isResponseClean($url)) { - header('HTTP/1.0 301 Moved Permanently'); - header('Status: 301 Moved Permanently'); - header('Location: ' . $url); + if (serendipity_plugin_api::exists('serendipity_event_trackexits')) { + // Get configuration of plugin + $configValues = serendipity_db_query("SELECT value FROM {$serendipity['dbPrefix']}config WHERE name LIKE 'serendipity_event_trackexits:%/commentredirection'"); + if (is_array($configValues)) { + foreach($configValues AS $configValue) { + if ($configValue['value'] == 's9y') { + $open_redir = true; + } + } + } + } + + if ($trust_url || $open_redir) { + header('HTTP/1.0 301 Moved Permanently'); + header('Status: 301 Moved Permanently'); + header('Location: ' . $url); + } } exit; /* vim: set sts=4 ts=4 expandtab : */ diff --git a/include/admin/entries.inc.php b/include/admin/entries.inc.php index 2ea7812b..e716885d 100644 --- a/include/admin/entries.inc.php +++ b/include/admin/entries.inc.php @@ -219,13 +219,13 @@ switch($serendipity['GET']['adminAction']) { $sort_import = array('perPage', 'ordermode', 'order'); foreach($filter_import AS $f_import) { - serendipity_restoreVar($serendipity['COOKIE']['entrylist_filter_' . $f_import], $serendipity['GET']['filter'][$f_import]); - $data["get_filter_$f_import"] = $serendipity['GET']['filter'][$f_import]; + serendipity_restoreVar($serendipity['COOKIE']['entrylist_filter_' . $f_import], serendipity_specialchars($serendipity['GET']['filter'][$f_import])); + $data["get_filter_$f_import"] = serendipity_specialchars($serendipity['GET']['filter'][$f_import]); } foreach($sort_import AS $s_import) { - serendipity_restoreVar($serendipity['COOKIE']['entrylist_sort_' . $s_import], $serendipity['GET']['sort'][$s_import]); - $data["get_sort_$s_import"] = $serendipity['GET']['sort'][$s_import]; + serendipity_restoreVar($serendipity['COOKIE']['entrylist_sort_' . $s_import], serendipity_specialchars($serendipity['GET']['sort'][$s_import])); + $data["get_sort_$s_import"] = serendipity_specialchars($serendipity['GET']['sort'][$s_import]); } $perPage = (!empty($serendipity['GET']['sort']['perPage']) ? $serendipity['GET']['sort']['perPage'] : $per_page[0]); diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php index 9413e89f..7b5b392a 100644 --- a/include/functions_comments.inc.php +++ b/include/functions_comments.inc.php @@ -1003,6 +1003,11 @@ function serendipity_saveComment($id, $commentInfo, $type = 'NORMAL', $source = $commentInfo['type'] = $type; $commentInfo['source'] = $source; + + // Secure email addresses, only one [first] allowed to not mail to multiple recipients + $mailparts = explode(',', $commentInfo['email']); + $commentInfo['email'] = trim($mailparts[0]); + serendipity_plugin_api::hook_event('frontend_saveComment', $ca, $commentInfo); if (!is_array($ca) || serendipity_db_bool($ca['allow_comments'])) { if ($GLOBALS['tb_logging']) {