Please login or register.

Login with username, password and session length
Advanced search  

News:

You need/want an older version of sNews ? Download an older/unsupported version here.

Author Topic: Function Contact Security Patch  (Read 1537 times)

brauck

  • Hero Member
  • *****
  • Karma: 18
  • Posts: 556
    • http://www.hbw-webdesign.nl/
Function Contact Security Patch
« on: February 22, 2010, 01:59:32 PM »

PATCH - Function Contact Security Patch (1.6)

http://snewscms.com/forum/index.php?topic=8940.0

Although I might be wrong, but as far as I know sNews 1.6 doesn't 'know' the constant _SITE and neither has the function send_mail(); they are both 1.7 I believe.

Hello to you all btw; haven’t posted for a long time; hope y're all well  :)
Logged
Confidence is reduced complexity.
brauck.nl for free css templates

Patric Ahlqvist

  • Nobodys perfect, but Im pretty effing close
  • ULTIMATE member
  • ******
  • Karma: 65
  • Posts: 4867
  • “I'm a self-made man and worships my creator.”
    • p-ahlqvist.com
Re: Function Contact Security Patch
« Reply #1 on: February 22, 2010, 07:34:07 PM »

Damn it, Onno.. long time no see :) Hope you're well... aswell, hehe
Logged
"It's only dead fish that goes with the flow... "
Updated

Sven

  • ULTIMATE member
  • ******
  • Karma: 88
  • Posts: 2029
  • Chasing MY bugs!
    • hiseo.fr - rédacteur Web
Re: Function Contact Security Patch
« Reply #2 on: February 23, 2010, 08:24:28 AM »

Howdee Brauck?

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: Function Contact Security Patch
« Reply #3 on: February 25, 2010, 03:14:54 PM »

PATCH - Function Contact Security Patch (1.6)
http://snewscms.com/forum/index.php?topic=8940.0

Although I might be wrong, but as far as I know sNews 1.6 doesn't 'know' the constant _SITE and neither has the function send_mail(); they are both 1.7 I believe.

Hello to you all btw; haven’t posted for a long time; hope y're all well  :)

Great to see you back again Brauk. Yes, you are right... the 1.7 mods should not be used in the 1.6 version of the patch. I didn't check Joost's code for any errors... I just posted his patches as he provided them (taking it for granted that Joost would have tested them first to be sure they were working). Please feel welcome to post the changes needed in the PATCH - Function Contact Security Patch (1.6) thread.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Joost

  • Guest
Re: Function Contact Security Patch
« Reply #4 on: February 25, 2010, 04:19:07 PM »

Don't have a vanilla 1.6 installed here, so I here is an untested solution.
I replaced constant _site (unknown in 1.6) with db('website').

Code: [Select]
<?php

function contact() {
 
if (!isset($_POST['contactform'])) {
$_SESSION[db('website').'time'] = $time time();
echo
'<div class="commentsbox"><h2>'.l('contact').'</h2>
<p>'
.l('required').'</p>
<form method="post" action="'
.db('website').'" id="post" accept-charset="UTF-8">
<p><label for="name">* '
,l('name'),'</label>:<br />
<input type="text" name="name" id="name" maxlength="100" class="text" value="" /></p>
<p><label for="email">* '
,l('email'),'</label>:<br />
<input type="text" name="email" id="email" maxlength="320" class="text" value="" /></p>
<p><label for="weblink">'
,l('url'),'</label>:<br />
<input type="text" name="weblink" id="weblink"  maxlength="160" class="text" value="" /></p>
<p><label for="message">* '
,l('message'),'</label>:<br />
<textarea name="message" rows="5" cols="5" id="message"></textarea></p>
'
,mathCaptcha(),'
<p><input type="hidden" name="ip" id="ip" value="'
,$_SERVER['REMOTE_ADDR'],'" />
<input type="hidden" name="time" id="time" value="'
,time(),'" />
<input type="submit" name="contactform" id="contactform" class="button" value="'
,l('submit'),'" /></p>
</form>
</div>'
;

} elseif( isset( $_SESSION[db('website').'time'] ) ) {
$count $magic 0;
if( get_magic_quotes_gpc() ){ $magic 1; }
foreach($_POST as $k => $v){
if($count === ) die;
if( $magic ) $$k stripslashes($v);
else $$k $v;
++$count;
}
$to s('website_email');
$subject s('contact_subject');

$name = (isset($name[0]) && ! isset($name[300]) ) ? trim($name) : null;
$name = ! preg_match('/[\\n\\r]/'$name) ? $name : die;

$mail = (isset($email[6]) && ! isset($email[320]) ) ? trim($email) : null;
$mail = ! preg_match('/[\\n\\r]/'$mail) ? $mail : die;

$url = (isset($weblink[4]) && ! isset($weblink[160]) ) ? trim($weblink) : null;
$url = ( strpos($url'?') === false && ! preg_match('/[\\n\\r]/'$url)) ? $url null;
$message = (isset($message[10]) && ! isset($message[6000]) ) ? strip_tags($message) : null;
$time = ( isset($_SESSION[db('website').'time']) && $_SESSION[db('website').'time'] === (int)$time && (time() - $time) > 10) ? $time null ;
if ( isset($ip) && $ip === $_SERVER['REMOTE_ADDR'] && $time
&& $name && $mail && $message && checkMathCaptcha()) {
unset($_SESSION[db('website').'time']);
echo notification(0,l('contact_sent'),'home');
$send_array = array(
'to'=>$to,
'name'=>$name,
'email'=>$mail,
'message'=>$message,
'ip'=>$ip,
'url'=>$url,
'subject'=>$subject);
send_email($send_array);
} else {
echo notification(1,l('contact_not_sent'),'contact');
}
}
}

?>
Logged