|
From: <tom...@us...> - 2003-05-24 21:01:47
|
Update of /cvsroot/php-blog/serendipity
In directory sc8-pr-cvs1:/tmp/cvs-serv30115
Modified Files:
serendipity_functions.inc.php
Log Message:
We now check if a trackback is valid before going further, this is to prevent user-exploitation
Index: serendipity_functions.inc.php
===================================================================
RCS file: /cvsroot/php-blog/serendipity/serendipity_functions.inc.php,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -d -r1.49 -r1.50
--- serendipity_functions.inc.php 24 May 2003 19:16:15 -0000 1.49
+++ serendipity_functions.inc.php 24 May 2003 20:35:08 -0000 1.50
@@ -485,7 +485,7 @@
$name = serendipity_db_escape_string($commentInfo['name']);
$url = serendipity_db_escape_string($commentInfo['url']);
$email = serendipity_db_escape_string($commentInfo['email']);
-
+
$t = time();
$query = "INSERT INTO {$serendipity['dbPrefix']}comments (entry_id, author, email, url, body, type, timestamp, title)";
$query .= " VALUES ('$id', '$name', '$email', '$url', '$commentsFixed', '$type', '$t', '$title')";
@@ -810,7 +810,10 @@
function add_trackback ($id, $title, $url, $name, $excerpt)
{
global $serendipity;
-
+ // We can't accept a trackback if we don't get any URl, basic rule...
+ if ( empty($url) ) {
+ return 0;
+ }
$comment['title'] = $title;
$comment['url'] = $url;
$comment['name'] = $name;
|
