From 7ec8ab78f215894c29da8e54ff9d7c41ffde64c6 Mon Sep 17 00:00:00 2001
From: Philip Day <13942194+thedayse@users.noreply.github.com>
Date: Thu, 20 Sep 2018 14:50:16 +0200
Subject: [PATCH] #405 prevent subscriber preferences view/update using only
 the email address. (#406)

#404 remove/revert spaces added in #18880 to $html['preferencesurl'] etc, preventing update of subscriber preferences.
---
 public_html/lists/admin/sendemaillib.php  | 14 +++++++-------
 public_html/lists/admin/subscribelib2.php |  6 ++++--
 public_html/lists/index.php               | 23 -----------------------
 3 files changed, 11 insertions(+), 32 deletions(-)

diff --git a/public_html/lists/admin/sendemaillib.php b/public_html/lists/admin/sendemaillib.php
index 15385bcde..a77223ff4 100644
--- a/public_html/lists/admin/sendemaillib.php
+++ b/public_html/lists/admin/sendemaillib.php
@@ -194,14 +194,14 @@ function sendEmail($messageid, $email, $hash, $htmlpref = 0, $rssitems = array()
     $sep = strpos($url, '?') === false ? '?' : '&';
     $html['subscribe'] = sprintf('<a href="%s">%s</a> ', $url, $strThisLink);
     $text['subscribe'] = sprintf('%s', $url);
-    $html['subscribeurl'] = sprintf('%s ', $url);
+    $html['subscribeurl'] = sprintf('%s', $url);
     $text['subscribeurl'] = sprintf('%s ', $url);
     $url = getConfig('forwardurl');
     $sep = strpos($url, '?') === false ? '?' : '&';
     $html['forward'] = sprintf('<a href="%s%suid=%s&amp;mid=%d">%s</a> ', $url, htmlspecialchars($sep), $hash,
         $messageid, $strThisLink);
     $text['forward'] = sprintf('%s%suid=%s&mid=%d ', $url, $sep, $hash, $messageid);
-    $html['forwardurl'] = sprintf('%s%suid=%s&amp;mid=%d ', $url, htmlspecialchars($sep), $hash, $messageid);
+    $html['forwardurl'] = sprintf('%s%suid=%s&amp;mid=%d', $url, htmlspecialchars($sep), $hash, $messageid);
     $text['forwardurl'] = $text['forward'];
     $html['messageid'] = sprintf('%d', $messageid);
     $text['messageid'] = sprintf('%d', $messageid);
@@ -213,14 +213,14 @@ function sendEmail($messageid, $email, $hash, $htmlpref = 0, $rssitems = array()
     $url = getConfig('preferencesurl');
     $sep = strpos($url, '?') === false ? '?' : '&';
     $html['preferences'] = sprintf('<a href="%s%suid=%s">%s</a> ', $url, htmlspecialchars($sep), $hash, $strThisLink);
-    $text['preferences'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
-    $html['preferencesurl'] = sprintf('%s%suid=%s ', $url, htmlspecialchars($sep), $hash);
-    $text['preferencesurl'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
+    $text['preferences'] = sprintf('%s%suid=%s', $url, $sep, $hash);
+    $html['preferencesurl'] = sprintf('%s%suid=%s', $url, htmlspecialchars($sep), $hash);
+    $text['preferencesurl'] = sprintf('%s%suid=%s', $url, $sep, $hash);
 
     $url = getConfig('confirmationurl');
     $sep = strpos($url, '?') === false ? '?' : '&';
-    $html['confirmationurl'] = sprintf('%s%suid=%s ', $url, htmlspecialchars($sep), $hash);
-    $text['confirmationurl'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
+    $html['confirmationurl'] = sprintf('%s%suid=%s', $url, htmlspecialchars($sep), $hash);
+    $text['confirmationurl'] = sprintf('%s%suid=%s', $url, $sep, $hash);
 
     //historical, not sure it's still used
     $html['userid'] = $hash;
diff --git a/public_html/lists/admin/subscribelib2.php b/public_html/lists/admin/subscribelib2.php
index 08c8ca40d..20016ca54 100644
--- a/public_html/lists/admin/subscribelib2.php
+++ b/public_html/lists/admin/subscribelib2.php
@@ -415,8 +415,10 @@
             $GLOBALS['tables']['user'], $_GET['uid']));
         $userid = $req[0];
     } else {
-        $req = Sql_Fetch_Row_query("select id from {$GLOBALS['tables']['user']} where email = \"".sql_escape($_GET['email']).'"');
-        $userid = $req[0];
+        // This could be abused and is not required
+        // $req = Sql_Fetch_Row_query("select id from {$GLOBALS['tables']['user']} where email = \"".sql_escape($_GET['email']).'"');
+        // $userid = $req[0];
+        $userid = false;
     }
     if (!$userid) {
         Fatal_Error('Error, no such user');
diff --git a/public_html/lists/index.php b/public_html/lists/index.php
index b554627cb..b70f45008 100644
--- a/public_html/lists/index.php
+++ b/public_html/lists/index.php
@@ -85,29 +85,6 @@
     $userid = $req[1];
     $userpassword = $req[2];
     $emailcheck = $req[3];
-} elseif (isset($_GET['email'])) {
-    $req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where email = "%s"',
-        $tables['user'], $_GET['email']));
-    $id = $req[0];
-    $userid = $req[1];
-    $userpassword = $req[2];
-    $emailcheck = $req[3];
-} elseif (isset($_REQUEST['unsubscribeemail'])) {
-    $req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where email = "%s"',
-        $tables['user'], sql_escape($_REQUEST['unsubscribeemail'])));
-    $id = $req[0];
-    $userid = $req[1];
-    $userpassword = $req[2];
-    $emailcheck = $req[3];
-    /*
-    } elseif ($_SESSION["userloggedin"] && $_SESSION["userid"]) {
-      $req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where id = %d',
-        $tables["user"],$_SESSION["userid"]));
-      $id = $req[0];
-      $userid = $req[1];
-      $userpassword = $req[2];
-      $emailcheck = $req[3];
-    */
 } else {
     $userid = '';
     $userpassword = '';