Permalink
Browse files

#405 prevent subscriber preferences view/update using only the email …

…address. (#406)

#404 remove/revert spaces added in #18880 to $html['preferencesurl'] etc, preventing update of subscriber preferences.
  • Loading branch information...
thedayse authored and samtuke committed Sep 20, 2018
1 parent cbdd474 commit 7ec8ab78f215894c29da8e54ff9d7c41ffde64c6
@@ -194,14 +194,14 @@ function sendEmail($messageid, $email, $hash, $htmlpref = 0, $rssitems = array()
$sep = strpos($url, '?') === false ? '?' : '&';
$html['subscribe'] = sprintf('<a href="%s">%s</a> ', $url, $strThisLink);
$text['subscribe'] = sprintf('%s', $url);
$html['subscribeurl'] = sprintf('%s ', $url);
$html['subscribeurl'] = sprintf('%s', $url);
$text['subscribeurl'] = sprintf('%s ', $url);
$url = getConfig('forwardurl');
$sep = strpos($url, '?') === false ? '?' : '&';
$html['forward'] = sprintf('<a href="%s%suid=%s&amp;mid=%d">%s</a> ', $url, htmlspecialchars($sep), $hash,
$messageid, $strThisLink);
$text['forward'] = sprintf('%s%suid=%s&mid=%d ', $url, $sep, $hash, $messageid);
$html['forwardurl'] = sprintf('%s%suid=%s&amp;mid=%d ', $url, htmlspecialchars($sep), $hash, $messageid);
$html['forwardurl'] = sprintf('%s%suid=%s&amp;mid=%d', $url, htmlspecialchars($sep), $hash, $messageid);
$text['forwardurl'] = $text['forward'];
$html['messageid'] = sprintf('%d', $messageid);
$text['messageid'] = sprintf('%d', $messageid);
@@ -213,14 +213,14 @@ function sendEmail($messageid, $email, $hash, $htmlpref = 0, $rssitems = array()
$url = getConfig('preferencesurl');
$sep = strpos($url, '?') === false ? '?' : '&';
$html['preferences'] = sprintf('<a href="%s%suid=%s">%s</a> ', $url, htmlspecialchars($sep), $hash, $strThisLink);
$text['preferences'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
$html['preferencesurl'] = sprintf('%s%suid=%s ', $url, htmlspecialchars($sep), $hash);
$text['preferencesurl'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
$text['preferences'] = sprintf('%s%suid=%s', $url, $sep, $hash);
$html['preferencesurl'] = sprintf('%s%suid=%s', $url, htmlspecialchars($sep), $hash);
$text['preferencesurl'] = sprintf('%s%suid=%s', $url, $sep, $hash);
$url = getConfig('confirmationurl');
$sep = strpos($url, '?') === false ? '?' : '&';
$html['confirmationurl'] = sprintf('%s%suid=%s ', $url, htmlspecialchars($sep), $hash);
$text['confirmationurl'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
$html['confirmationurl'] = sprintf('%s%suid=%s', $url, htmlspecialchars($sep), $hash);
$text['confirmationurl'] = sprintf('%s%suid=%s', $url, $sep, $hash);
//historical, not sure it's still used
$html['userid'] = $hash;
@@ -415,8 +415,10 @@
$GLOBALS['tables']['user'], $_GET['uid']));
$userid = $req[0];
} else {
$req = Sql_Fetch_Row_query("select id from {$GLOBALS['tables']['user']} where email = \"".sql_escape($_GET['email']).'"');
$userid = $req[0];
// This could be abused and is not required
// $req = Sql_Fetch_Row_query("select id from {$GLOBALS['tables']['user']} where email = \"".sql_escape($_GET['email']).'"');
// $userid = $req[0];
$userid = false;
}
if (!$userid) {
Fatal_Error('Error, no such user');
@@ -85,29 +85,6 @@
$userid = $req[1];
$userpassword = $req[2];
$emailcheck = $req[3];
} elseif (isset($_GET['email'])) {
$req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where email = "%s"',
$tables['user'], $_GET['email']));
$id = $req[0];
$userid = $req[1];
$userpassword = $req[2];
$emailcheck = $req[3];
} elseif (isset($_REQUEST['unsubscribeemail'])) {
$req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where email = "%s"',
$tables['user'], sql_escape($_REQUEST['unsubscribeemail'])));
$id = $req[0];
$userid = $req[1];
$userpassword = $req[2];
$emailcheck = $req[3];
/*
} elseif ($_SESSION["userloggedin"] && $_SESSION["userid"]) {
$req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where id = %d',
$tables["user"],$_SESSION["userid"]));
$id = $req[0];
$userid = $req[1];
$userpassword = $req[2];
$emailcheck = $req[3];
*/
} else {
$userid = '';
$userpassword = '';

0 comments on commit 7ec8ab7

Please sign in to comment.