diff --git a/public_html/lists/admin/sendemaillib.php b/public_html/lists/admin/sendemaillib.php
index 15385bcde..a77223ff4 100644
--- a/public_html/lists/admin/sendemaillib.php
+++ b/public_html/lists/admin/sendemaillib.php
@@ -194,14 +194,14 @@ function sendEmail($messageid, $email, $hash, $htmlpref = 0, $rssitems = array()
$sep = strpos($url, '?') === false ? '?' : '&';
$html['subscribe'] = sprintf('%s ', $url, $strThisLink);
$text['subscribe'] = sprintf('%s', $url);
- $html['subscribeurl'] = sprintf('%s ', $url);
+ $html['subscribeurl'] = sprintf('%s', $url);
$text['subscribeurl'] = sprintf('%s ', $url);
$url = getConfig('forwardurl');
$sep = strpos($url, '?') === false ? '?' : '&';
$html['forward'] = sprintf('%s ', $url, htmlspecialchars($sep), $hash,
$messageid, $strThisLink);
$text['forward'] = sprintf('%s%suid=%s&mid=%d ', $url, $sep, $hash, $messageid);
- $html['forwardurl'] = sprintf('%s%suid=%s&mid=%d ', $url, htmlspecialchars($sep), $hash, $messageid);
+ $html['forwardurl'] = sprintf('%s%suid=%s&mid=%d', $url, htmlspecialchars($sep), $hash, $messageid);
$text['forwardurl'] = $text['forward'];
$html['messageid'] = sprintf('%d', $messageid);
$text['messageid'] = sprintf('%d', $messageid);
@@ -213,14 +213,14 @@ function sendEmail($messageid, $email, $hash, $htmlpref = 0, $rssitems = array()
$url = getConfig('preferencesurl');
$sep = strpos($url, '?') === false ? '?' : '&';
$html['preferences'] = sprintf('%s ', $url, htmlspecialchars($sep), $hash, $strThisLink);
- $text['preferences'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
- $html['preferencesurl'] = sprintf('%s%suid=%s ', $url, htmlspecialchars($sep), $hash);
- $text['preferencesurl'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
+ $text['preferences'] = sprintf('%s%suid=%s', $url, $sep, $hash);
+ $html['preferencesurl'] = sprintf('%s%suid=%s', $url, htmlspecialchars($sep), $hash);
+ $text['preferencesurl'] = sprintf('%s%suid=%s', $url, $sep, $hash);
$url = getConfig('confirmationurl');
$sep = strpos($url, '?') === false ? '?' : '&';
- $html['confirmationurl'] = sprintf('%s%suid=%s ', $url, htmlspecialchars($sep), $hash);
- $text['confirmationurl'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
+ $html['confirmationurl'] = sprintf('%s%suid=%s', $url, htmlspecialchars($sep), $hash);
+ $text['confirmationurl'] = sprintf('%s%suid=%s', $url, $sep, $hash);
//historical, not sure it's still used
$html['userid'] = $hash;
diff --git a/public_html/lists/admin/subscribelib2.php b/public_html/lists/admin/subscribelib2.php
index 08c8ca40d..20016ca54 100644
--- a/public_html/lists/admin/subscribelib2.php
+++ b/public_html/lists/admin/subscribelib2.php
@@ -415,8 +415,10 @@
$GLOBALS['tables']['user'], $_GET['uid']));
$userid = $req[0];
} else {
- $req = Sql_Fetch_Row_query("select id from {$GLOBALS['tables']['user']} where email = \"".sql_escape($_GET['email']).'"');
- $userid = $req[0];
+ // This could be abused and is not required
+ // $req = Sql_Fetch_Row_query("select id from {$GLOBALS['tables']['user']} where email = \"".sql_escape($_GET['email']).'"');
+ // $userid = $req[0];
+ $userid = false;
}
if (!$userid) {
Fatal_Error('Error, no such user');
diff --git a/public_html/lists/index.php b/public_html/lists/index.php
index b554627cb..b70f45008 100644
--- a/public_html/lists/index.php
+++ b/public_html/lists/index.php
@@ -85,29 +85,6 @@
$userid = $req[1];
$userpassword = $req[2];
$emailcheck = $req[3];
-} elseif (isset($_GET['email'])) {
- $req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where email = "%s"',
- $tables['user'], $_GET['email']));
- $id = $req[0];
- $userid = $req[1];
- $userpassword = $req[2];
- $emailcheck = $req[3];
-} elseif (isset($_REQUEST['unsubscribeemail'])) {
- $req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where email = "%s"',
- $tables['user'], sql_escape($_REQUEST['unsubscribeemail'])));
- $id = $req[0];
- $userid = $req[1];
- $userpassword = $req[2];
- $emailcheck = $req[3];
- /*
- } elseif ($_SESSION["userloggedin"] && $_SESSION["userid"]) {
- $req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where id = %d',
- $tables["user"],$_SESSION["userid"]));
- $id = $req[0];
- $userid = $req[1];
- $userpassword = $req[2];
- $emailcheck = $req[3];
- */
} else {
$userid = '';
$userpassword = '';