Fixed issue #05226 : Remote SQL Injection via bounce header

Dev Fixed Bounce E-Mail security loophole in updating of database for bounces Fixed Issue #05300 : Bounce e-mail must be overriden git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey@10499 b72ed6b6-b9f8-46b5-92b4-906544132732
LimeSurvey · Jul 13, 2011 · 85b2e60 · 85b2e60
1 parent 9e3d13d
commit 85b2e60
Showing 1 changed file with 15 additions and 14 deletions.
diff --git a/admin/tokens.php b/admin/tokens.php
@@ -221,7 +221,7 @@
 // Bouceprocessing
 if($subaction=='bounceprocessing')
 {
-	if ($thissurvey['bounceprocessing']!='N' && !($thissurvey['bounceprocessing']=='G' && getGlobalSetting('bounceaccounttype')=='off') && bHasSurveyPermission($surveyid, 'tokens','update'))
+	if($thissurvey['bounceprocessing'] != 'N' && bHasSurveyPermission($surveyid,'tokens','update'))
 	{
 		$bouncetotal=0;
 		$checktotal=0;
@@ -278,7 +278,7 @@
                 }
             }
 		$flags="";
-        switch($accounttype)
+               switch($accounttype)
 		{
 			case "IMAP":
 			$flags.="/imap";
@@ -296,17 +296,17 @@
 			$flags.="/tls/novalidate-cert";
 			break;
 		}
-		if($mbox=imap_open('{'.$hostname.$flags.'}INBOX',$username,$pass))
+		if(@$mbox=imap_open('{'.$hostname.$flags.'}INBOX',$username,$pass))
 		{
-            imap_errors();
-            $count=imap_num_msg($mbox);
-            if($count>0)
-           {
-             $lasthinfo=imap_headerinfo($mbox,$count);
+                 imap_errors();
+                 $count=imap_num_msg($mbox);
+                 if($count>0)
+                   {
+                        $lasthinfo=imap_headerinfo($mbox,$count);
 			$datelcu = strtotime($lasthinfo->date);
 			$datelastbounce= $datelcu;
 			$lastbounce = $thissurvey['bouncetime'];
-            while($datelcu > $lastbounce)
+                        while($datelcu > $lastbounce)
 			{
 				$header = explode("\r\n",@imap_body($mbox,$count,FT_PEEK)); // Don't put read
 				foreach ($header as $item)
@@ -317,12 +317,13 @@
 					}
 					if (preg_match('/^X-tokenid/',$item))
 					{
-						$tokenBounce=explode(": ",$item);
+                                              	$tokenBounce=explode(": ",$item);
 						if($surveyid == $surveyidBounce[1])
 						{
-							$bouncequery = "UPDATE ".db_table_name("tokens_$surveyid")." SET emailstatus='bounced' WHERE token='$tokenBounce[1]';";
-							$anish=$connect->Execute($bouncequery);
-							$readbounce=imap_body($mbox,$count); // Put read
+                                                        $santsurveyid = sanitize_int($surveyid);
+                                                        $bouncequery = "UPDATE ".db_table_name("tokens_$santsurveyid")." SET emailstatus='bounced' WHERE token='$tokenBounce[1]';";
+							$bmark=$connect->Execute($bouncequery);
+                                                        $readbounce=imap_body($mbox,$count); // Put read
 							if (isset($thissurvey['bounceremove']) && $thissurvey['bounceremove']) // TODO Y or just true, and a imap_delete
 							{
 								$deletebounce=imap_delete($mbox,$count); // Put delete
@@ -334,7 +335,7 @@
 
 				$count--;
 				$lasthinfo=@imap_headerinfo($mbox,$count);
-                $datelc=$lasthinfo->date;
+                                $datelc=$lasthinfo->date;
 				$datelcu = strtotime($datelc);
   				$checktotal++;