php/LuckyCoinkydink
Archived
1
0
Fork 0
Code Issues Pull Requests Activity

Security fixes from Tim Coen (file upload, comment token escaping, 2k11 js comment name escaping)

Browse Source
This commit is contained in:
Garvin Hicking
2015-07-24 13:27:21 +02:00
parent c4f9b721e7
commit 00be5d7b4c
7 changed files with 21 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/functions_comments.inc.php
+2 -2
View File
@@ -24,14 +24,14 @@ function serendipity_checkCommentToken($token, $cid) {
WHERE okey LIKE 'comment_%' AND name < " . (time() - 604800) );
// Get the token for this comment id
$tokencheck = serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}options
WHERE okey = 'comment_" . $cid . "' LIMIT 1", true, 'assoc');
WHERE okey = 'comment_" . (int)$cid . "' LIMIT 1", true, 'assoc');
// Verify it against the passed key
if (is_array($tokencheck)) {
if ($tokencheck['value'] == $token) {
$goodtoken = true; // use this to bypass security checks later
// if using tokens, delete this comment from that list no matter how we got here
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options
WHERE okey = 'comment_" . $cid . "'");
WHERE okey = 'comment_" . (int)$cid . "'");
}
}