From 1afc4d929d96e5bf63cafd4cb8155ca2fb4e8f5f Mon Sep 17 00:00:00 2001
From: Garvin Hicking <blog@garv.in>
Date: Wed, 18 Jul 2018 11:59:45 +0200
Subject: [PATCH] Adjust fetchLimit to ensure integer content

---
 docs/NEWS                  | 4 ++++
 rss.php                    | 2 +-
 serendipity_config.inc.php | 4 ++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/docs/NEWS b/docs/NEWS
index 5999624e..91c78d4d 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -35,6 +35,10 @@ Version 2.x.x (major) ()
 Version 2.1.3 ()
 ------------------------------------------------------------------------
 
+    * Security: Make sure that the admins configuration for RSS
+      and blog entry limit is parsed as integer for SQL queries.
+      Thanks to @oreamnos and Hanno Boeck for reporting!
+
     * Security: Prevent XSS possibility in "edit entries" panel.
       Thanks to @oreamnos and Hanno Boeck for reporting!
 
diff --git a/rss.php b/rss.php
index 7d3cab96..401788d9 100644
--- a/rss.php
+++ b/rss.php
@@ -101,7 +101,7 @@ switch ($_GET['type']) {
     case 'comments_and_trackbacks':
     case 'trackbacks':
     case 'comments':
-        $entries     = serendipity_fetchComments(isset($_GET['cid']) ? $_GET['cid'] : null, $serendipity['RSSfetchLimit'], 'co.id desc', false, $_GET['type']);
+        $entries     = serendipity_fetchComments(isset($_GET['cid']) ? $_GET['cid'] : null, (int)$serendipity['RSSfetchLimit'], 'co.id desc', false, $_GET['type']);
         $description = $title . ' - ' . $description;
         if (isset($_GET['cid'])) {
             $title   = $title . ' - ' . COMMENTS_FROM . ' "' . $latest_entry[0]['title'] . '"';
diff --git a/serendipity_config.inc.php b/serendipity_config.inc.php
index 4476683a..33bc6a65 100644
--- a/serendipity_config.inc.php
+++ b/serendipity_config.inc.php
@@ -376,6 +376,10 @@ if (isset($_SESSION['serendipityAuthorid'])) {
     $serendipity['lang'] = serendipity_getPostAuthSessionLanguage();
 }
 
+// Ensure that these limits do not contain strings
+$serendipity['fetchLimit'] = (int)$serendipity['fetchLimit'];
+$serendipity['RSSfetchLimit'] = (int)$serendipity['RSSfetchLimit'];
+
 // Try to fix some path settings. It seems common users have this setting wrong
 // when s9y is installed into the root directory, especially 0.7.1 upgrade users.
 if (empty($serendipity['serendipityHTTPPath'])) {