[BUGFIX] [SECURITY] Fixes only logging to .log and.txt filetype extensions.

Backported from master branch.

Signed-off-by: Thomas Hochstein <thh@inter.net>

docs/NEWS

@@ -1,10 +1,12 @@
 Version 2.3.2-beta1 ()
 ------------------------------------------------------------------------
 
-   * Fix autologin when using MySQL (thanks @Eike Rathke, 
+   * Only allows .txt and .log files for spamblock logging.
+     Thanks to Gary O'Leary-Steele (CVE TBD)
 
    * Fixes not properly displaying plugin save errors (validation)
 
+   * Fix autologin when using MySQL (thanks @Eike Rathke,
      https://github.com/s9y/Serendipity/pull/632)
 
 Version 2.3.1 (August 21st, 2019)

plugins/serendipity_event_spamblock/lang_en.inc.php

@@ -147,3 +147,4 @@
 @define('PLUGIN_EVENT_SPAMBLOCK_SPAM', 'Spam');
 @define('PLUGIN_EVENT_SPAMBLOCK_NOT_SPAM', 'Not spam');
 
+@define('PLUGIN_EVENT_SPAMBLOCK_LOGFILE_VALIDATE', 'Only file extensions .log and .txt are allowed');

plugins/serendipity_event_spamblock/serendipity_event_spamblock.php

@@ -353,6 +353,8 @@ class serendipity_event_spamblock extends serendipity_event
                 $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_LOGFILE);
                 $propbag->add('description', PLUGIN_EVENT_SPAMBLOCK_LOGFILE_DESC);
                 $propbag->add('default', $serendipity['serendipityPath'] . 'spamblock-%Y-%m-%d.log');
+                $propbag->add('validate', '@\.(log|txt)$@imsU');
+                $propbag->add('validate_error', PLUGIN_EVENT_SPAMBLOCK_LOGFILE_VALIDATE);
                 break;
 
             case 'logtype':