From acf9321f23965aa795dceff59419bf28de065843 Mon Sep 17 00:00:00 2001 From: Garvin Hicking Date: Sun, 17 Jun 2007 10:45:24 +0000 Subject: [PATCH] Fix SQL injection reported by Dr. Neal Krawetz --- docs/NEWS | 27 ++++++++++++++++++--------- include/functions_comments.inc.php | 6 +++--- 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/docs/NEWS b/docs/NEWS index 0ffcb11d..7d83f049 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -3,7 +3,7 @@ Version 1.2 () ------------------------------------------------------------------------ - * When a category or entry does not exist, emit HTTP 404 message + * When a category or entry does not exist, emit HTTP 404 message template instead of "No entries to print" and HTTP 200 status. (garvinhicking) @@ -16,28 +16,28 @@ Version 1.2 () * Fix properly reinstantiating sessions and properly deleting cookies when requested (garvinhicking) - * Add support for sqlite3 (http://php-sqlite3.sourceforge.net/), by + * Add support for sqlite3 (http://php-sqlite3.sourceforge.net/), by geekmug * Change database types for IP addresses to varchar(64) to support IPv6 (garvinhicking) * Make statistics, karma and spamblock plugin only log 255 characters - of HTTP User-Agent and Referrer strings to the database, as the + of HTTP User-Agent and Referrer strings to the database, as the fields are only varchar(255). Thanks to jemm4jemm! - + * Fix bug in conjunction with PHP 5.2.1 changed variable-by-reference handling that could result in no groups being listed for author accounts (garvinhicking) * Fix redundant space when inserting links through the non-WYSIWYG editor panel. Fix "null" insertion. Thanks to Alp Uckan. - + * Fix RSS fullfeed "let client decide" option typo. Previously this always enforced a fullfeed to show, regardless of what the client indicated. Thanks to stm9x9 (garvinhicking) - - * Add proper charset to CSS stylesheet. Thanks to SADtg + + * Add proper charset to CSS stylesheet. Thanks to SADtg (garvinhicking) * Strip tags from comments also in RSS-Feeds for comments, thanks to @@ -47,7 +47,7 @@ Version 1.2 () thanks to Thijs Kinkhorst * Enabled setting cache-control headers by default. - + * Fix wrong next/previous page links when using wrapper.php indexFile option. (garvinhicking) @@ -162,7 +162,16 @@ Version 1.2 () * Allow to call permalinks that end with a "/" the same as if not ending with a "/" (garvinhicking) -Version 1.1.2 () +Version 1.1.3 (June 17th, 2007) +------------------------------------------------------------------------ + + * Fix SQL injection through 'commentMode' variable. Thanks to + Dr. Neal Krawetz + + * Fix missing %username% permalink pattern in single entry view. + Patch by cress_cc + +Version 1.1.2 (March 1st, 2007) ----------------------------------------------------------------------- * Fix showing SQL error message when an empty category is selected diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php index 694ec7c0..cf05565c 100644 --- a/include/functions_comments.inc.php +++ b/include/functions_comments.inc.php @@ -313,7 +313,7 @@ function serendipity_printComments($comments, $parentid = 0, $depth = 0, $trace function serendipity_printCommentsByAuthor() { global $serendipity; - $type = $serendipity['GET']['commentMode']; + $type = serendipity_db_escape_string($serendipity['GET']['commentMode']); if ($type == 'comments' || empty($type)) { $type = 'NORMAL'; @@ -441,10 +441,10 @@ function serendipity_deleteComment($id, $entry_id, $type='comments') { serendipity_db_query("UPDATE {$serendipity['dbPrefix']}comments SET parent_id = " . (int)$sql['parent_id'] . " WHERE parent_id = " . $id); } - + $addData = array('cid' => $id, 'entry_id' => $entry_id); serendipity_plugin_api::hook_event('backend_deletecomment', $sql, $addData); - + return true; } else { return false;