|
From: Garvin H. <gar...@us...> - 2004-10-16 09:12:27
|
Update of /cvsroot/php-blog/serendipity In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16962 Modified Files: Tag: branch-smarty NEWS comment.php exit.php index.php serendipity_functions.inc.php Log Message: MFH for this lazy jannis-guy :) Index: NEWS =================================================================== RCS file: /cvsroot/php-blog/serendipity/NEWS,v retrieving revision 1.214.2.34 retrieving revision 1.214.2.35 diff -u -d -r1.214.2.34 -r1.214.2.35 --- NEWS 13 Oct 2004 10:45:57 -0000 1.214.2.34 +++ NEWS 16 Oct 2004 09:12:15 -0000 1.214.2.35 @@ -35,12 +35,18 @@ Version 0.7 () ------------------------------------------------------------------------ + * Fixed possible HTTP Response Splitting security issue. Thanks to + ChaoticEvil for reporting! (jannis, garvinhicking) + +Version 0.7-beta4 (October 14th, 2004) +------------------------------------------------------------------------ + * Bug #1016342 - Fixed RSS UTF8 decoding for remote RSS plugin. (garvinhicking) - + * Fixed some wrong calculations in the statistics plugin, thanks to David DeLauro! (garvinhicking) - + * Fixed entry count and category association bugs using SQLite (garvinhicking) @@ -124,6 +130,9 @@ Version 0.7-beta2 (September 15th, 2004) ------------------------------------------------------------------------ + * Fixed entries pagination for special cases where quickump calendar + was displayed on the left sidebar (garvinhicking) + * Added Italian translations, thanks to Alessandro Pellizzari * Fixed missing CSS-class for BBCode Event-Plugin (Jez Hancock) Index: serendipity_functions.inc.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/serendipity_functions.inc.php,v retrieving revision 1.419.2.50 retrieving revision 1.419.2.51 diff -u -d -r1.419.2.50 -r1.419.2.51 --- serendipity_functions.inc.php 13 Oct 2004 09:31:16 -0000 1.419.2.50 +++ serendipity_functions.inc.php 16 Oct 2004 09:12:15 -0000 1.419.2.51 @@ -1111,7 +1111,9 @@ $query = "UPDATE {$serendipity['dbPrefix']}entries SET allow_comments = '" . ($switch == 'disable' ? 'false' : 'true') . "' WHERE id = '". (int)$entry_id ."' $admin"; serendipity_db_query($query); - header('Location: '. $_SERVER['HTTP_REFERER']); + if (serendipity_isResponseClean($_SERVER['HTTP_REFERER'])) { + header('Location: '. $_SERVER['HTTP_REFERER']); + } } else { die('What are you up to? You need to be an admin to close comments'); } @@ -3520,6 +3522,9 @@ return serendipity_printTrackbacks(serendipity_fetchTrackbacks($params['entry'])); } +function serendipity_isResponseClean($d) { + return (strpos($d, "\r") === false && strpos($d, "\n") === false); +} define("serendipity_FUNCTIONS_LOADED", true); /* vim: set sts=4 ts=4 expandtab : */ Index: exit.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/exit.php,v retrieving revision 1.6 retrieving revision 1.6.2.1 diff -u -d -r1.6 -r1.6.2.1 --- exit.php 5 Jul 2004 08:25:49 -0000 1.6 +++ exit.php 16 Oct 2004 09:12:15 -0000 1.6.2.1 @@ -23,7 +23,9 @@ $url = str_replace('&', '&', base64_decode($_GET['url'])); } -header('Location: ' . $url); +if (serendipity_isResponseClean($url)) { + header('Location: ' . $url); +} exit; /* vim: set sts=4 ts=4 expandtab : */ ?> Index: comment.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/comment.php,v retrieving revision 1.44.2.5 retrieving revision 1.44.2.6 diff -u -d -r1.44.2.5 -r1.44.2.6 --- comment.php 5 Oct 2004 19:56:30 -0000 1.44.2.5 +++ comment.php 16 Oct 2004 09:12:15 -0000 1.44.2.6 @@ -8,7 +8,9 @@ if (isset($serendipity['GET']['delete'], $serendipity['GET']['entry'], $serendipity['GET']['type'])) { serendipity_deleteComment($serendipity['GET']['delete'], $serendipity['GET']['entry'], $serendipity['GET']['type']); - header('Location: '. $_SERVER['HTTP_REFERER']); die(); + if (serendipity_isResponseClean($_SERVER['HTTP_REFERER'])) { + header('Location: '. $_SERVER['HTTP_REFERER']); + } } if (isset($serendipity['GET']['switch'], $serendipity['GET']['entry'])) { @@ -163,7 +165,10 @@ $comment['parent_id'] = $serendipity['POST']['replyTo']; if (!empty($comment['comment'])) { if (serendipity_saveComment($serendipity['POST']['entry_id'], $comment, 'NORMAL')) { - header('Location: ' . $serendipity['baseURL'] . 'comment.php?entry_id=' . $serendipity['POST']['entry_id'] . '&success=true&url=' . urlencode($_SERVER['HTTP_REFERER'])); + $sc_url = $serendipity['baseURL'] . 'comment.php?entry_id=' . $serendipity['POST']['entry_id'] . '&success=true&url=' . urlencode($_SERVER['HTTP_REFERER']); + if (serendipity_isResponseClean($sc_url)) { + header('Location: ' . $sc_url); + } exit; } else { echo $html_header; Index: index.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/index.php,v retrieving revision 1.49.2.5 retrieving revision 1.49.2.6 diff -u -d -r1.49.2.5 -r1.49.2.6 --- index.php 30 Sep 2004 18:05:44 -0000 1.49.2.5 +++ index.php 16 Oct 2004 09:12:15 -0000 1.49.2.6 @@ -118,7 +118,10 @@ $comment['parent_id'] = $serendipity['POST']['replyTo']; if (!empty($comment['comment'])) { if (serendipity_saveComment($serendipity['POST']['entry_id'], $comment, 'NORMAL')) { - header('Location: ' . $_SERVER['REQUEST_URI'] . (strstr($_SERVER['REQUEST_URI'], '?') ? '&' : '?') . 'serendipity[csuccess]=' . $serendipity['csuccess']); + $sc_url = $_SERVER['REQUEST_URI'] . (strstr($_SERVER['REQUEST_URI'], '?') ? '&' : '?') . 'serendipity[csuccess]=' . $serendipity['csuccess']; + if (serendipity_isResponseClean($sc_url)) { + header('Location: ' . $sc_url); + } exit; } else { $serendipity['messagestack']['comments'][] = COMMENT_NOT_ADDED; |
