|
From: Garvin H. <gar...@us...> - 2004-10-16 09:09:57
|
Update of /cvsroot/php-blog/serendipity In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16436 Modified Files: NEWS comment.php index.php serendipity_functions.inc.php Log Message: more response splitting fixes Index: NEWS =================================================================== RCS file: /cvsroot/php-blog/serendipity/NEWS,v retrieving revision 1.242 retrieving revision 1.243 diff -u -d -r1.242 -r1.243 --- NEWS 13 Oct 2004 10:44:38 -0000 1.242 +++ NEWS 16 Oct 2004 09:09:46 -0000 1.243 @@ -3,6 +3,12 @@ Version 0.7 () ------------------------------------------------------------------------ + * Fixed possible HTTP Response Splitting security issue. Thanks to + ChaoticEvil for reporting! (jannis, garvinhicking) + +Version 0.7-beta4 (October 14th, 2004) +------------------------------------------------------------------------ + * Bug #1016342 - Fixed RSS UTF8 decoding for remote RSS plugin. (garvinhicking) Index: serendipity_functions.inc.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/serendipity_functions.inc.php,v retrieving revision 1.443 retrieving revision 1.444 diff -u -d -r1.443 -r1.444 --- serendipity_functions.inc.php 15 Oct 2004 14:22:28 -0000 1.443 +++ serendipity_functions.inc.php 16 Oct 2004 09:09:46 -0000 1.444 @@ -1501,8 +1501,9 @@ $query = "UPDATE {$serendipity['dbPrefix']}entries SET allow_comments = '" . ($switch == 'disable' ? 'false' : 'true') . "' WHERE id = '". (int)$entry_id ."' $admin"; serendipity_db_query($query); - if (serendipity_isResponseClean($_SERVER['HTTP_REFERER'])) + if (serendipity_isResponseClean($_SERVER['HTTP_REFERER'])) { header('Location: '. $_SERVER['HTTP_REFERER']); + } } else { die('What are you up to? You need to be an admin to close comments'); } Index: comment.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/comment.php,v retrieving revision 1.50 retrieving revision 1.51 diff -u -d -r1.50 -r1.51 --- comment.php 15 Oct 2004 14:22:28 -0000 1.50 +++ comment.php 16 Oct 2004 09:09:46 -0000 1.51 @@ -8,8 +8,9 @@ if (isset($serendipity['GET']['delete'], $serendipity['GET']['entry'], $serendipity['GET']['type'])) { serendipity_deleteComment($serendipity['GET']['delete'], $serendipity['GET']['entry'], $serendipity['GET']['type']); - if (serendipity_isResponseClean($_SERVER['HTTP_REFERER'])) + if (serendipity_isResponseClean($_SERVER['HTTP_REFERER'])) { header('Location: '. $_SERVER['HTTP_REFERER']); + } die(); } @@ -167,7 +168,10 @@ $comment['parent_id'] = $serendipity['POST']['replyTo']; if (!empty($comment['comment'])) { if (serendipity_saveComment($serendipity['POST']['entry_id'], $comment, 'NORMAL')) { - header('Location: ' . $serendipity['baseURL'] . 'comment.php?entry_id=' . $serendipity['POST']['entry_id'] . '&success=true&url=' . urlencode($_SERVER['HTTP_REFERER'])); + $sc_url = $serendipity['baseURL'] . 'comment.php?entry_id=' . $serendipity['POST']['entry_id'] . '&success=true&url=' . urlencode($_SERVER['HTTP_REFERER']); + if (serendipity_isResponseClean($sc_url)) { + header('Location: ' . $sc_url); + } exit; } else { echo $html_header; Index: index.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/index.php,v retrieving revision 1.51 retrieving revision 1.52 diff -u -d -r1.51 -r1.52 --- index.php 27 Sep 2004 12:14:38 -0000 1.51 +++ index.php 16 Oct 2004 09:09:46 -0000 1.52 @@ -104,7 +104,10 @@ $comment['parent_id'] = $serendipity['POST']['replyTo']; if (!empty($comment['comment'])) { if (serendipity_saveComment($serendipity['POST']['entry_id'], $comment, 'NORMAL')) { - header('Location: ' . $_SERVER['REQUEST_URI'] . (strstr($_SERVER['REQUEST_URI'], '?') ? '&' : '?') . 'serendipity[csuccess]=' . $serendipity['csuccess']); + $sc_url = $_SERVER['REQUEST_URI'] . (strstr($_SERVER['REQUEST_URI'], '?') ? '&' : '?') . 'serendipity[csuccess]=' . $serendipity['csuccess']; + if (serendipity_isResponseClean($sc_url)) { + header('Location: ' . $sc_url); + } exit; } else { $serendipity['messagestack']['comments'][] = COMMENT_NOT_ADDED; |
