Ever since adding _ck_’s security update, we’ve been having a lot of problems with undelivered PMs. Last night I tried to send a forum member a PM about five times, and he never received it. After sending, I would scroll down to check my Sent Messages and none of them were there.
I’m running bbPress 0.9.0.3 with Private Messaging 0.80.
It’s possible because I was testing it on 1.0 that 1.0 automatically escapes the mysql values passed and that 0.9 does not. I can’t remember.
Try adding this before the $bbdb->query
$pmtitle=mysql_real_escape_string($pmtitle);
$message=mysql_real_escape_string($message);
and see if it helps or if it just add slashes to your text instead and breaks it.
It may also be a quote problem but I thought the bbpress pre/post text filters should encode quote or any other problematic characters.
That seems to work. We’re still testing it out but I think we’re in the clear.
That said, I also added Anne’s notification hack, and we’re not getting any notifications.
If the notification sends any part of the actual message, keep in mind the messages now contain html and may get rejected by spam filters. Other than that, I dunno.
Also you’d have to send the email notification BEFORE you do the escape if you send the message or title in the message (or save the original to different strings).
Anne,
Can you tell me where specifically to put your email notification hack? I’m not well versed in PHP or coding in general (outside of HTML/CSS). Thanks!
Hi Citizenkeith, I just saw this now… you’d put the hack at the end of pm_new_message. So my function now looks like this:
function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){
global $bbdb, $bb_table_prefix;
$created_on = bb_current_time('mysql');
$id_receiver = intval($id_receiver);
$id_sender = intval($id_sender);
$pmtitle=substr(strip_tags($pmtitle),0,64);
remove_filter('pre_post', 'post_regulation');
$message=substr($message,0,2048);
$message=force_balance_tags($message);
$message=apply_filters('pre_post',$message,0,0);
$message=apply_filters('post_text',$message,0);
$bbdb->query("INSERT INTO ".$bb_table_prefix."privatemessages
(id_sender, id_receiver, pmtitle, message, created_on)
VALUES
('$id_sender', '$id_receiver', '$pmtitle', '$message','$created_on')");
$to = bb_get_user_email($id_receiver);
$pm_link = bb_get_option('uri') . 'message.php?id=' . $bbdb->insert_id;
$message = __("You have a new private message: %1$s nFrom: %2$s nn%3$s ");
mail( $to, bb_get_option('name') . ':' . __('Private Message'),
sprintf( $message, $pmtitle, get_user_name($id_sender), $pm_link ),
'From: ' . bb_get_option('from_email')
);
}
I’m using the PM plugin by Nightgunner5 – is it ok, or is it a risk as well?
Thanks.
While I have not reviewed Nightgunner’s code, that version is a completely rewrite so I suspect it avoids the pitfalls of the original version and is probably safe to use.
Just want to make sure I did it correctly, so with this new code that CK re-wrote….how much do you replace?
I assume just the function from
function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){
}
You replace just that section to the } with the CK rewrite?
PS thanks for this, security issue=bad
I removed the PM plugin some time before, personal messages are often a big problem on forums.
I think a contact form which is send to the “hidden” user email address is a much better solution
I think a contact form which is send to the “hidden” user email address is a much better solution
That would indeed be an awesome feature to have.
Do you know if this problem is resolved? I had the plugin downloaded onto my bbPress forum for me a few days ago and I was not aware of this topic at the time. Is it now safe to use or should I be taking it off?
http://bit.ly/4LJlfj (a graph of the daily downloads) – 18 downloads this week, 6 of which were from today.
It would benifit the bbPress community as a whole if Matt or MDA (or anyone else with access to the repository) could put up some kind of notice on the Private Messaging plugin page that tells about the security risks.
Is now solved ? In the plugin I cannot find that function.
is it solved? i am afraid now
