[geeklog-hg] geeklog: Fix bug which allowed users to try to send email to use...

geeklog-cvs at lists.geeklog.net geeklog-cvs at lists.geeklog.net
Tue Nov 10 10:14:53 EST 2015 

changeset 9648:4c4d6bac76cc
url:  http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/4c4d6bac76cc
user: Tom
date: Tue Nov 10 10:14:38 2015 -0500
description:
Fix bug which allowed users to try to send email to users without an email address (OAuth users). Added more indepth checks of the "to" email address and messages to Admin explaining the error (if he is the one sending the email).

diffstat:

 language/english.php        |   5 ++++-
 language/english_utf-8.php  |   5 ++++-
 language/japanese_utf-8.php |   5 ++++-
 public_html/profiles.php    |  41 ++++++++++++++++++++++++++++++++++++-----
 4 files changed, 48 insertions(+), 8 deletions(-)

diffs (110 lines):

diff -r a5e13f09b8aa -r 4c4d6bac76cc language/english.php
--- a/language/english.php	Tue Nov 10 10:09:09 2015 -0500
+++ b/language/english.php	Tue Nov 10 10:14:38 2015 -0500
@@ -487,7 +487,10 @@
     37 => 'Send me a copy of this email',
     38 => "This is a copy of the email that you sent to %s from <{$_CONF['site_url']}>:",
     39 => 'Your last message was ',
-    40 => " seconds ago.  This site requires at least {$_CONF['speedlimit']} seconds between sending messages"
+    40 => " seconds ago.  This site requires at least {$_CONF['speedlimit']} seconds between sending messages", 
+    41 => "This user doesn't exist.", 
+    42 => "This users email address doesn't exist. This most likely means is is an OAuth user account.",
+    43 => 'This users email address is invalid.'
 );
 
 ###############################################################################
diff -r a5e13f09b8aa -r 4c4d6bac76cc language/english_utf-8.php
--- a/language/english_utf-8.php	Tue Nov 10 10:09:09 2015 -0500
+++ b/language/english_utf-8.php	Tue Nov 10 10:14:38 2015 -0500
@@ -487,7 +487,10 @@
     37 => 'Send me a copy of this email',
     38 => "This is a copy of the email that you sent to %s from <{$_CONF['site_url']}>:",
     39 => 'Your last message was ',
-    40 => " seconds ago.  This site requires at least {$_CONF['speedlimit']} seconds between sending messages"
+    40 => " seconds ago.  This site requires at least {$_CONF['speedlimit']} seconds between sending messages", 
+    41 => "This user doesn't exist.", 
+    42 => "This users email address doesn't exist. This most likely means is is an OAuth user account.",
+    43 => 'This users email address is invalid.'
 );
 
 ###############################################################################
diff -r a5e13f09b8aa -r 4c4d6bac76cc language/japanese_utf-8.php
--- a/language/japanese_utf-8.php	Tue Nov 10 10:09:09 2015 -0500
+++ b/language/japanese_utf-8.php	Tue Nov 10 10:14:38 2015 -0500
@@ -495,7 +495,10 @@
     37 => '自分宛にコピーを送信する',
     38 => "これはあなたが<{$_CONF['site_url']}>から %s へ送信したメールのコピーです:",
     39 => 'あなたはメッセージを ',
-    40 => " 秒前に送信しています。少なくとも{$_CONF['speedlimit']}秒å¾
って、次のメッセージを送信してください。"
+    40 => " 秒前に送信しています。少なくとも{$_CONF['speedlimit']}秒å¾
って、次のメッセージを送信してください。", 
+    41 => "This user doesn't exist.", 
+    42 => "This users email address doesn't exist. This most likely means is is an OAuth user account.",
+    43 => 'This users email address is invalid.'    
 );
 
 ###############################################################################
diff -r a5e13f09b8aa -r 4c4d6bac76cc public_html/profiles.php
--- a/public_html/profiles.php	Tue Nov 10 10:09:09 2015 -0500
+++ b/public_html/profiles.php	Tue Nov 10 10:14:38 2015 -0500
@@ -186,17 +186,48 @@
                              ($_CONF['emailuserloginrequired'] == 1))) {
         $retval .= SEC_loginRequiredForm();
     } else {
-        $result = DB_query ("SELECT emailfromadmin,emailfromuser FROM {$_TABLES['userprefs']} WHERE uid = '$uid'");
-        $P = DB_fetchArray ($result);
         if (SEC_inGroup ('Root') || SEC_hasRights ('user.mail')) {
             $isAdmin = true;
         } else {
             $isAdmin = false;
         }
 
+        // Check email address okay and user preference regarding email
+        $continue = false;
+        $msg_no_mail = $LANG08[35];
+
+        $result = DB_query ("SELECT email FROM {$_TABLES['users']} WHERE uid = '$uid'");
+        $nrows = DB_numRows($result);                                     
+        
+        if ($nrows == 1) {
+            $P = DB_fetchArray ($result);
+            if (!empty($P['email'])) {
+                if (COM_isEMail($P['email'])) {
+                    $continue = true;
+                } elseif ($isAdmin ) {
+                    $msg_no_mail = $LANG08[43]; // Email invalid
+                }
+            } elseif ($isAdmin ) {
+                $msg_no_mail = $LANG08[42]; // Email doesn't exist
+            }
+        } elseif ($isAdmin ) {
+            $msg_no_mail = $LANG08[41]; // User doesn't exist
+        }
+        
+        // Check if User wants mail from someone
+        if ($continue) {
+            $result = DB_query ("SELECT emailfromadmin,emailfromuser FROM {$_TABLES['userprefs']} WHERE uid = '$uid'");
+            $P = DB_fetchArray ($result);
+            
+            if ($continue && ((($P['emailfromadmin'] == 1) && $isAdmin) || (($P['emailfromuser'] == 1) && !$isAdmin))) {
+                $continue = true;
+            } else {
+                $continue = false;
+            }
+        }
+        
         $displayname = COM_getDisplayName ($uid);
-        if ((($P['emailfromadmin'] == 1) && $isAdmin) ||
-            (($P['emailfromuser'] == 1) && !$isAdmin)) {
+        if ($continue) {
 
             if ($cc) {
                 $cc = ' checked="checked"';
@@ -252,7 +283,7 @@
             $retval .= $mail_template->finish($mail_template->get_var('output'));
             $retval .= COM_endBlock();
         } else {
-            $retval = COM_showMessageText($LANG08[35], $LANG08[10] . ' ' . $displayname);
+            $retval = COM_showMessageText($msg_no_mail, $LANG08[10] . ' ' . $displayname);
         }
     }

More information about the geeklog-cvs mailing list