Fork me on GitHub
Subscribe 2

Ticket #855 (fixed bug)

Escaping admin's mail

  • Created: 2013-05-07 16:55:20
  • Reported by: adaur
  • Assigned to: adaur
  • Milestone: 1.5.4
  • Component: security
  • Priority: high

I was editing profile.php when I noticed multiple occurences of

message($lang_profile['Activate email sent'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.', true);

or

message($lang_profile['Move failed'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.');

Same in register.php

message($lang_register['Reg email'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.', true);

What if the database was compromised and o_admin_email was injected with malicous code?

I think we should apply pun_htmlspecialchars on all occurences of o_admin_email, as we did for IP addresses.

HtXeksXPkl.png

History

adaur 2013-05-17 16:43:02

  • Description changed. (Diff)

adaur 2013-05-17 17:04:22

Commit 6e9efba to fluxbb master

#855 Escaping admin's mail

adaur 2013-05-17 17:06:32

Commit dfe8ca4 to fluxbb master

#855 Escaping email when displaying

adaur 2013-05-17 17:07:37

Commit 58dff0d to fluxbb master

#855 Escaping admin's mail

adaur 2013-05-17 17:08:37

Commit 5ec12a0 to fluxbb master

#855 Escaping admin's mail

adaur 2013-05-17 17:11:11

Commit 6860b21 to fluxbb master

#855 Escaping email when displaying

adaur 2013-05-17 17:18:04

Commit ed40a5f to fluxbb master

#855 Escaping email when displaying

adaur 2013-05-17 17:20:06

Commit f559fb4 to fluxbb master

#855 Escaping email when displaying

Franz 2013-05-21 08:45:50

I agree that this is safer. Anyhow, there are probably many more occurrences of un-escaped config values. Those are assumed to be safe.

Franz 2013-05-21 08:48:37

Commit 09a9891 to fluxbb master

Merge pull request #75 from adaur/master

#855: escaping mails at display + #858: fixing scrollbar in Chrome

adaur 2013-05-21 10:21:28

  • Status changed from open to fixed.

adaur 2013-05-22 12:16:48

Commit 5303326 to fluxbb master

#855: escaping mails at display

adaur 2013-05-22 12:18:22

Commit c455e04 to fluxbb master

#855: escaping mails at display

Franz 2013-05-22 12:51:27

Commit 925fcc9 to fluxbb master

Merge pull request #76 from adaur/master

#855: escaping mails at display

Franz 2013-08-10 19:28:15

  • Visibility set to public.