Adjust fetchLimit to ensure integer content

docs/NEWS

@@ -35,6 +35,10 @@ Version 2.x.x (major) ()
 Version 2.1.3 ()
 ------------------------------------------------------------------------
 
+    * Security: Make sure that the admins configuration for RSS
+      and blog entry limit is parsed as integer for SQL queries.
+      Thanks to @oreamnos and Hanno Boeck for reporting!
+
     * Security: Prevent XSS possibility in "edit entries" panel.
       Thanks to @oreamnos and Hanno Boeck for reporting!
 

rss.php

@@ -101,7 +101,7 @@ switch ($_GET['type']) {
     case 'comments_and_trackbacks':
     case 'trackbacks':
     case 'comments':
-        $entries     = serendipity_fetchComments(isset($_GET['cid']) ? $_GET['cid'] : null, $serendipity['RSSfetchLimit'], 'co.id desc', false, $_GET['type']);
+        $entries     = serendipity_fetchComments(isset($_GET['cid']) ? $_GET['cid'] : null, (int)$serendipity['RSSfetchLimit'], 'co.id desc', false, $_GET['type']);
         $description = $title . ' - ' . $description;
         if (isset($_GET['cid'])) {
             $title   = $title . ' - ' . COMMENTS_FROM . ' "' . $latest_entry[0]['title'] . '"';

serendipity_config.inc.php

@@ -376,6 +376,10 @@ if (isset($_SESSION['serendipityAuthorid'])) {
     $serendipity['lang'] = serendipity_getPostAuthSessionLanguage();
 }
 
+// Ensure that these limits do not contain strings
+$serendipity['fetchLimit'] = (int)$serendipity['fetchLimit'];
+$serendipity['RSSfetchLimit'] = (int)$serendipity['RSSfetchLimit'];
+
 // Try to fix some path settings. It seems common users have this setting wrong
 // when s9y is installed into the root directory, especially 0.7.1 upgrade users.
 if (empty($serendipity['serendipityHTTPPath'])) {