Skip to:
Content
Pages
Categories
Search
Top
Bottom

Re: SECURITY WARNING: stop using Private Messaging plugin


_ck_
Participant

@_ck_

This is a quick and dirty security fix. Only tested on a basic level.

This code is for the original, not detective’s mod which I will examine tomorrow unless Detective wants to apply the stuff below himself…

replace around line 100 the entire function pm_new_message

from:

function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){
...
}

to this:

function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){
global $bbdb, $bb_table_prefix;

$created_on = bb_current_time('mysql');
$id_receiver = intval($id_receiver);
$id_sender = intval($id_sender);

$pmtitle=substr(strip_tags($pmtitle),0,64);
remove_filter('pre_post', 'post_regulation');
$message=substr($message,0,2048);
$message=force_balance_tags($message);
$message=apply_filters('pre_post',$message,0,0);
$message=apply_filters('post_text',$message,0);

$pmtitle=mysql_real_escape_string($pmtitle);
$message=mysql_real_escape_string($message);

$bbdb->query("INSERT INTO ".$bb_table_prefix."privatemessages
(id_sender, id_receiver, pmtitle, message, created_on)
VALUES
('$id_sender', '$id_receiver', '$pmtitle', '$message','$created_on')");
}

This patch should in theory make it virtually completely sanitized (but still not completely validated unfortunately) and has the added bonus that most other plugins that affect posts like bb-smilies, etc. should work inside PM’s

Skip to toolbar