From 7ec8ab78f215894c29da8e54ff9d7c41ffde64c6 Mon Sep 17 00:00:00 2001
From: Philip Day <13942194+thedayse@users.noreply.github.com>
Date: Thu, 20 Sep 2018 14:50:16 +0200
Subject: [PATCH] #405 prevent subscriber preferences view/update using only
the email address. (#406)
#404 remove/revert spaces added in #18880 to $html['preferencesurl'] etc, preventing update of subscriber preferences.
---
public_html/lists/admin/sendemaillib.php | 14 +++++++-------
public_html/lists/admin/subscribelib2.php | 6 ++++--
public_html/lists/index.php | 23 -----------------------
3 files changed, 11 insertions(+), 32 deletions(-)
diff --git a/public_html/lists/admin/sendemaillib.php b/public_html/lists/admin/sendemaillib.php
index 15385bcde..a77223ff4 100644
--- a/public_html/lists/admin/sendemaillib.php
+++ b/public_html/lists/admin/sendemaillib.php
@@ -194,14 +194,14 @@ function sendEmail($messageid, $email, $hash, $htmlpref = 0, $rssitems = array()
$sep = strpos($url, '?') === false ? '?' : '&';
$html['subscribe'] = sprintf('%s ', $url, $strThisLink);
$text['subscribe'] = sprintf('%s', $url);
- $html['subscribeurl'] = sprintf('%s ', $url);
+ $html['subscribeurl'] = sprintf('%s', $url);
$text['subscribeurl'] = sprintf('%s ', $url);
$url = getConfig('forwardurl');
$sep = strpos($url, '?') === false ? '?' : '&';
$html['forward'] = sprintf('%s ', $url, htmlspecialchars($sep), $hash,
$messageid, $strThisLink);
$text['forward'] = sprintf('%s%suid=%s&mid=%d ', $url, $sep, $hash, $messageid);
- $html['forwardurl'] = sprintf('%s%suid=%s&mid=%d ', $url, htmlspecialchars($sep), $hash, $messageid);
+ $html['forwardurl'] = sprintf('%s%suid=%s&mid=%d', $url, htmlspecialchars($sep), $hash, $messageid);
$text['forwardurl'] = $text['forward'];
$html['messageid'] = sprintf('%d', $messageid);
$text['messageid'] = sprintf('%d', $messageid);
@@ -213,14 +213,14 @@ function sendEmail($messageid, $email, $hash, $htmlpref = 0, $rssitems = array()
$url = getConfig('preferencesurl');
$sep = strpos($url, '?') === false ? '?' : '&';
$html['preferences'] = sprintf('%s ', $url, htmlspecialchars($sep), $hash, $strThisLink);
- $text['preferences'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
- $html['preferencesurl'] = sprintf('%s%suid=%s ', $url, htmlspecialchars($sep), $hash);
- $text['preferencesurl'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
+ $text['preferences'] = sprintf('%s%suid=%s', $url, $sep, $hash);
+ $html['preferencesurl'] = sprintf('%s%suid=%s', $url, htmlspecialchars($sep), $hash);
+ $text['preferencesurl'] = sprintf('%s%suid=%s', $url, $sep, $hash);
$url = getConfig('confirmationurl');
$sep = strpos($url, '?') === false ? '?' : '&';
- $html['confirmationurl'] = sprintf('%s%suid=%s ', $url, htmlspecialchars($sep), $hash);
- $text['confirmationurl'] = sprintf('%s%suid=%s ', $url, $sep, $hash);
+ $html['confirmationurl'] = sprintf('%s%suid=%s', $url, htmlspecialchars($sep), $hash);
+ $text['confirmationurl'] = sprintf('%s%suid=%s', $url, $sep, $hash);
//historical, not sure it's still used
$html['userid'] = $hash;
diff --git a/public_html/lists/admin/subscribelib2.php b/public_html/lists/admin/subscribelib2.php
index 08c8ca40d..20016ca54 100644
--- a/public_html/lists/admin/subscribelib2.php
+++ b/public_html/lists/admin/subscribelib2.php
@@ -415,8 +415,10 @@
$GLOBALS['tables']['user'], $_GET['uid']));
$userid = $req[0];
} else {
- $req = Sql_Fetch_Row_query("select id from {$GLOBALS['tables']['user']} where email = \"".sql_escape($_GET['email']).'"');
- $userid = $req[0];
+ // This could be abused and is not required
+ // $req = Sql_Fetch_Row_query("select id from {$GLOBALS['tables']['user']} where email = \"".sql_escape($_GET['email']).'"');
+ // $userid = $req[0];
+ $userid = false;
}
if (!$userid) {
Fatal_Error('Error, no such user');
diff --git a/public_html/lists/index.php b/public_html/lists/index.php
index b554627cb..b70f45008 100644
--- a/public_html/lists/index.php
+++ b/public_html/lists/index.php
@@ -85,29 +85,6 @@
$userid = $req[1];
$userpassword = $req[2];
$emailcheck = $req[3];
-} elseif (isset($_GET['email'])) {
- $req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where email = "%s"',
- $tables['user'], $_GET['email']));
- $id = $req[0];
- $userid = $req[1];
- $userpassword = $req[2];
- $emailcheck = $req[3];
-} elseif (isset($_REQUEST['unsubscribeemail'])) {
- $req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where email = "%s"',
- $tables['user'], sql_escape($_REQUEST['unsubscribeemail'])));
- $id = $req[0];
- $userid = $req[1];
- $userpassword = $req[2];
- $emailcheck = $req[3];
- /*
- } elseif ($_SESSION["userloggedin"] && $_SESSION["userid"]) {
- $req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where id = %d',
- $tables["user"],$_SESSION["userid"]));
- $id = $req[0];
- $userid = $req[1];
- $userpassword = $req[2];
- $emailcheck = $req[3];
- */
} else {
$userid = '';
$userpassword = '';