mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

escape hotlinked image

Browse Source
This commit is contained in:
Garvin Hicking 2013-02-08 08:29:48 +01:00
parent b6fa7eb1ef
commit 63ba9b0431
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/NEWS
View File

@ -13,7 +13,8 @@ Version 1.7 ()
------------------------------------------------------------------------
* Media database: Escape more Cookie values to prevent storing
possible XSS (http://board.s9y.org/viewtopic.php?f=3&t=19142)
possible XSS (http://board.s9y.org/viewtopic.php?f=3&t=19142).
Escape hotlinked media filename.
* rc2: Alter entries.tpl to add the line:
{assign var="entry" value=$entry scope="parent"}

2
include/admin/images.inc.php
View File

@ -214,6 +214,8 @@ switch ($serendipity['GET']['adminAction']) {
$new_media = array();
$serendipity['POST']['imageurl'] = htmlspecialchars($serendipity['POST']['imageurl']);
// First find out whether to fetch a file or accept an upload
if ($serendipity['POST']['imageurl'] != '' && $serendipity['POST']['imageurl'] != 'http://') {
if (!empty($serendipity['POST']['target_filename'][2])) {