Merge pull request #455 from kartolo/hotfix/2023110110000013_v7

kartolo · web-flow · commit bb34f1b96e74 · 2023-12-12T20:51:43.000+01:00
[Security] prevent user to input multiline value
diff --git a/Classes/DirectMailUtility.php b/Classes/DirectMailUtility.php
@@ -1582,6 +1582,13 @@ public static function updatePagesTSconfig($id, array $pageTs, $tsConfPrefix, $i
             }
             $set = array();
             foreach ($pageTs as $f => $v) {
+                // only get the first line of input and ignore the rest
+                $v = strtok(trim($v), "\r\n");
+                // if token is not found (false)
+                if ($v === false) {
+                    // then set empty string
+                    $v = '';
+                }
                 $f = $tsConfPrefix . $f;
                 if ((!isset($impParams[$f]) && trim($v)) || strcmp(trim($impParams[$f]), trim($v))) {
                     $set[$f] = trim($v);
diff --git a/ext_emconf.php b/ext_emconf.php
@@ -14,7 +14,7 @@
     'title' => 'Direct Mail',
     'description' => 'Advanced Direct Mail/Newsletter mailer system with sophisticated options for personalization of emails including response statistics.',
     'category' => 'module',
-    'version' => '7.0.1',
+    'version' => '7.0.3',
     'state' => 'stable',
     'clearcacheonload' => 0,
     'lockType' => '',
