[geeklog-cvs] geeklog-1.3/public_html profiles.php,1.25,1.26

dhaun at geeklog.net dhaun at geeklog.net
Sat Nov 8 12:54:12 EST 2003 

Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv16063

Modified Files:
	profiles.php 
Log Message:
Integrated Vincent Furia's additional checks (and speed limit) to prevent misuse of the email functions.


Index: profiles.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/profiles.php,v
retrieving revision 1.25
retrieving revision 1.26
diff -C2 -d -r1.25 -r1.26
*** profiles.php	1 Sep 2003 12:53:06 -0000	1.25
--- profiles.php	8 Nov 2003 17:54:09 -0000	1.26
***************
*** 52,55 ****
--- 52,81 ----
      global $_CONF, $_TABLES, $_USER, $LANG08;
  
+     // check for correct $_CONF permission
+     if (empty ($_USER['username']) &&
+         (($_CONF['loginrequired'] == 1) || ($_CONF['emailuserloginrequired'] == 1))
+         && ($uid != 2)) {
+         return COM_refresh ($_CONF['site_url'] . '/index.php');
+     }
+ 
+     // check for correct 'to' user preferences
+     $result = DB_query ("SELECT emailfromadmin,emailfromuser FROM {$_TABLES['userprefs']} WHERE uid = '$uid'");
+     $P = DB_fetchArray ($result);
+     if (SEC_inGroup ('Root') || SEC_hasRights ('user.mail')) {
+         $isAdmin = true;
+     } else {
+         $isAdmin = false;
+     }
+     if ((($P['emailfromadmin'] != 1) && $isAdmin) ||
+         (($P['emailfromuser'] != 1) && !$isAdmin)) {
+         return COM_refresh ($_CONF['site_url'] . '/index.php');
+     }
+ 
+     // check mail speedlimit
+     COM_clearSpeedlimit ($_CONF['speedlimit'], 'mail');
+     if (COM_checkSpeedlimit ('mail') > 0) {
+         return COM_refresh ($_CONF['site_url'] . '/index.php');
+     }
+ 
      if (!empty($author) && !empty($subject) && !empty($message)) {
          if (COM_isemail($authoremail)) {
***************
*** 72,75 ****
--- 98,102 ----
              $from = $author . ' <' . $authoremail . '>';
              COM_mail ($A['email'], $subject, $message, $from);
+             COM_updateSpeedlimit ('mail');
  
              $retval .= COM_refresh($_CONF['site_url'] . '/index.php?msg=27');
***************
*** 180,183 ****
--- 207,222 ----
   	global $_CONF, $_TABLES, $LANG01, $LANG08;
  
+     // check for correct $_CONF permission
+     if (empty ($_USER['username']) &&
+         (($_CONF['loginrequired'] == 1) || ($_CONF['emailstoryloginrequired'] == 1))) {
+         return COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
+     }
+ 
+     // check mail speedlimit
+     COM_clearSpeedlimit ($_CONF['speedlimit'], 'mail');
+     if (COM_checkSpeedlimit ('mail') > 0) {
+         return COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
+     }
+ 
   	$sql = "SELECT uid,title,introtext,bodytext,UNIX_TIMESTAMP(date) AS day FROM {$_TABLES['stories']} WHERE sid = '$sid'";
   	$result = DB_query ($sql);
***************
*** 208,211 ****
--- 247,251 ----
  
      COM_mail ($toemail, $subject, $mailtext, $mailfrom);
+     COM_updateSpeedlimit ('mail');
  
   	$retval .= COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);

More information about the geeklog-cvs mailing list