[geeklog-cvs] geeklog-1.3/public_html profiles.php,1.25,1.26
dhaun at geeklog.net
dhaun at geeklog.net
Sat Nov 8 12:54:12 EST 2003
Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv16063
Modified Files:
profiles.php
Log Message:
Integrated Vincent Furia's additional checks (and speed limit) to prevent misuse of the email functions.
Index: profiles.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/profiles.php,v
retrieving revision 1.25
retrieving revision 1.26
diff -C2 -d -r1.25 -r1.26
*** profiles.php 1 Sep 2003 12:53:06 -0000 1.25
--- profiles.php 8 Nov 2003 17:54:09 -0000 1.26
***************
*** 52,55 ****
--- 52,81 ----
global $_CONF, $_TABLES, $_USER, $LANG08;
+ // check for correct $_CONF permission
+ if (empty ($_USER['username']) &&
+ (($_CONF['loginrequired'] == 1) || ($_CONF['emailuserloginrequired'] == 1))
+ && ($uid != 2)) {
+ return COM_refresh ($_CONF['site_url'] . '/index.php');
+ }
+
+ // check for correct 'to' user preferences
+ $result = DB_query ("SELECT emailfromadmin,emailfromuser FROM {$_TABLES['userprefs']} WHERE uid = '$uid'");
+ $P = DB_fetchArray ($result);
+ if (SEC_inGroup ('Root') || SEC_hasRights ('user.mail')) {
+ $isAdmin = true;
+ } else {
+ $isAdmin = false;
+ }
+ if ((($P['emailfromadmin'] != 1) && $isAdmin) ||
+ (($P['emailfromuser'] != 1) && !$isAdmin)) {
+ return COM_refresh ($_CONF['site_url'] . '/index.php');
+ }
+
+ // check mail speedlimit
+ COM_clearSpeedlimit ($_CONF['speedlimit'], 'mail');
+ if (COM_checkSpeedlimit ('mail') > 0) {
+ return COM_refresh ($_CONF['site_url'] . '/index.php');
+ }
+
if (!empty($author) && !empty($subject) && !empty($message)) {
if (COM_isemail($authoremail)) {
***************
*** 72,75 ****
--- 98,102 ----
$from = $author . ' <' . $authoremail . '>';
COM_mail ($A['email'], $subject, $message, $from);
+ COM_updateSpeedlimit ('mail');
$retval .= COM_refresh($_CONF['site_url'] . '/index.php?msg=27');
***************
*** 180,183 ****
--- 207,222 ----
global $_CONF, $_TABLES, $LANG01, $LANG08;
+ // check for correct $_CONF permission
+ if (empty ($_USER['username']) &&
+ (($_CONF['loginrequired'] == 1) || ($_CONF['emailstoryloginrequired'] == 1))) {
+ return COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
+ }
+
+ // check mail speedlimit
+ COM_clearSpeedlimit ($_CONF['speedlimit'], 'mail');
+ if (COM_checkSpeedlimit ('mail') > 0) {
+ return COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
+ }
+
$sql = "SELECT uid,title,introtext,bodytext,UNIX_TIMESTAMP(date) AS day FROM {$_TABLES['stories']} WHERE sid = '$sid'";
$result = DB_query ($sql);
***************
*** 208,211 ****
--- 247,251 ----
COM_mail ($toemail, $subject, $mailtext, $mailfrom);
+ COM_updateSpeedlimit ('mail');
$retval .= COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
More information about the geeklog-cvs
mailing list