Adjust fetchLimit to ensure integer content

s9y · Jul 18, 2018 · 1afc4d9 · 1afc4d9
1 parent 19513cd
commit 1afc4d9
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/docs/NEWS b/docs/NEWS
@@ -35,6 +35,10 @@ Version 2.x.x (major) ()
 Version 2.1.3 ()
 ------------------------------------------------------------------------
 
+    * Security: Make sure that the admins configuration for RSS
+      and blog entry limit is parsed as integer for SQL queries.
+      Thanks to @oreamnos and Hanno Boeck for reporting!
+
     * Security: Prevent XSS possibility in "edit entries" panel.
       Thanks to @oreamnos and Hanno Boeck for reporting!
 

diff --git a/rss.php b/rss.php
@@ -101,7 +101,7 @@
     case 'comments_and_trackbacks':
     case 'trackbacks':
     case 'comments':
-        $entries     = serendipity_fetchComments(isset($_GET['cid']) ? $_GET['cid'] : null, $serendipity['RSSfetchLimit'], 'co.id desc', false, $_GET['type']);
+        $entries     = serendipity_fetchComments(isset($_GET['cid']) ? $_GET['cid'] : null, (int)$serendipity['RSSfetchLimit'], 'co.id desc', false, $_GET['type']);
         $description = $title . ' - ' . $description;
         if (isset($_GET['cid'])) {
             $title   = $title . ' - ' . COMMENTS_FROM . ' "' . $latest_entry[0]['title'] . '"';

diff --git a/serendipity_config.inc.php b/serendipity_config.inc.php
@@ -376,6 +376,10 @@
     $serendipity['lang'] = serendipity_getPostAuthSessionLanguage();
 }
 
+// Ensure that these limits do not contain strings
+$serendipity['fetchLimit'] = (int)$serendipity['fetchLimit'];
+$serendipity['RSSfetchLimit'] = (int)$serendipity['RSSfetchLimit'];
+
 // Try to fix some path settings. It seems common users have this setting wrong
 // when s9y is installed into the root directory, especially 0.7.1 upgrade users.
 if (empty($serendipity['serendipityHTTPPath'])) {