Skip to content
Permalink
Browse files

Updating PHPMailer to a more secure version, updating less.php to lat…

…est submodule commit, fixing strpos checking for csrf
  • Loading branch information...
timbuckingham committed Apr 14, 2017
1 parent 7498cc4 commit 7761481ac40d83ac29fef42bc6b3c07c86694b56
Showing with 1,063 additions and 440 deletions.
  1. +1 −1 core/inc/bigtree/admin.php
  2. +1 −1 core/inc/lib/less.php
  3. +1,061 −438 core/inc/lib/phpmailer.php
@@ -8374,7 +8374,7 @@ function verifyCSRFToken() {
$clean_domain = str_replace(array("http://","https://"),"//",DOMAIN);
$token = isset($_POST[$this->CSRFTokenField]) ? $_POST[$this->CSRFTokenField] : $_GET[$this->CSRFTokenField];
if (strpos($clean_referer, $clean_domain) === false || $token != $this->CSRFToken) {
if (strpos($clean_referer, $clean_domain) !== 0 || $token != $this->CSRFToken) {
$this->stop("Cross site request forgery detected.");
}
}

2 comments on commit 7761481

@fgeek

This comment has been minimized.

Copy link

replied Apr 16, 2017

Please use CVE-2017-7881 for this issue in ChangeLog. When do you plan to release new version containing this security fix?

@timbuckingham

This comment has been minimized.

Copy link
Collaborator Author

replied Apr 17, 2017

Just pushed an update to the changelog referencing the CVE. The 4.2.18 release should be out this Friday.

Please sign in to comment.
You can’t perform that action at this time.