Skip to content
Permalink
Browse files Browse the repository at this point in the history
Updating PHPMailer to a more secure version, updating less.php to lat…
…est submodule commit, fixing strpos checking for csrf
  • Loading branch information
timbuckingham committed Apr 14, 2017
1 parent 7498cc4 commit 7761481
Show file tree
Hide file tree
Showing 3 changed files with 1,063 additions and 440 deletions.
2 changes: 1 addition & 1 deletion core/inc/bigtree/admin.php
Expand Up @@ -8374,7 +8374,7 @@ function verifyCSRFToken() {
$clean_domain = str_replace(array("http://","https://"),"//",DOMAIN);
$token = isset($_POST[$this->CSRFTokenField]) ? $_POST[$this->CSRFTokenField] : $_GET[$this->CSRFTokenField];

if (strpos($clean_referer, $clean_domain) === false || $token != $this->CSRFToken) {
if (strpos($clean_referer, $clean_domain) !== 0 || $token != $this->CSRFToken) {
$this->stop("Cross site request forgery detected.");
}
}
Expand Down

2 comments on commit 7761481

@fgeek
Copy link

@fgeek fgeek commented on 7761481 Apr 16, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use CVE-2017-7881 for this issue in ChangeLog. When do you plan to release new version containing this security fix?

@timbuckingham
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just pushed an update to the changelog referencing the CVE. The 4.2.18 release should be out this Friday.

Please sign in to comment.