From 63217ef9c9371f660d1dc85d362c68e1c415af45 Mon Sep 17 00:00:00 2001
From: Garvin Hicking <gh@faktor-e.de>
Date: Tue, 17 Sep 2019 10:50:28 +0200
Subject: [PATCH] [BUGFIX] [SECURITY] Fixes only logging to .log and.txt
 filetype extensions.

Backported from master branch.

Signed-off-by: Thomas Hochstein <thh@inter.net>
---
 docs/NEWS                                                     | 4 +++-
 plugins/serendipity_event_spamblock/lang_en.inc.php           | 1 +
 .../serendipity_event_spamblock.php                           | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/NEWS b/docs/NEWS
index 62c34bc7..6cfddf2c 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -1,10 +1,12 @@
 Version 2.3.2-beta1 ()
 ------------------------------------------------------------------------
 
-   * Fix autologin when using MySQL (thanks @Eike Rathke, 
+   * Only allows .txt and .log files for spamblock logging.
+     Thanks to Gary O'Leary-Steele (CVE TBD)
 
    * Fixes not properly displaying plugin save errors (validation)
 
+   * Fix autologin when using MySQL (thanks @Eike Rathke,
      https://github.com/s9y/Serendipity/pull/632)
 
 Version 2.3.1 (August 21st, 2019)
diff --git a/plugins/serendipity_event_spamblock/lang_en.inc.php b/plugins/serendipity_event_spamblock/lang_en.inc.php
index 24c3b4e3..ce836108 100644
--- a/plugins/serendipity_event_spamblock/lang_en.inc.php
+++ b/plugins/serendipity_event_spamblock/lang_en.inc.php
@@ -147,3 +147,4 @@
 @define('PLUGIN_EVENT_SPAMBLOCK_SPAM', 'Spam');
 @define('PLUGIN_EVENT_SPAMBLOCK_NOT_SPAM', 'Not spam');
 
+@define('PLUGIN_EVENT_SPAMBLOCK_LOGFILE_VALIDATE', 'Only file extensions .log and .txt are allowed');
diff --git a/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php b/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php
index a49ec88d..dc8989ac 100644
--- a/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php
+++ b/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php
@@ -353,6 +353,8 @@ class serendipity_event_spamblock extends serendipity_event
                 $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_LOGFILE);
                 $propbag->add('description', PLUGIN_EVENT_SPAMBLOCK_LOGFILE_DESC);
                 $propbag->add('default', $serendipity['serendipityPath'] . 'spamblock-%Y-%m-%d.log');
+                $propbag->add('validate', '@\.(log|txt)$@imsU');
+                $propbag->add('validate_error', PLUGIN_EVENT_SPAMBLOCK_LOGFILE_VALIDATE);
                 break;
 
             case 'logtype':