Merge pull request #454 from kartolo/hotfix/2023110110000013_v6

kartolo · web-flow · commit c19d755afd5a · 2023-12-12T20:47:42.000+01:00
[Security] prevent user to input multiline value
diff --git a/Classes/DirectMailUtility.php b/Classes/DirectMailUtility.php
@@ -1625,6 +1625,14 @@ public static function updatePagesTSconfig($id, array $pageTs, $tsConfPrefix, $i
             }
             $set = array();
             foreach ($pageTs as $f => $v) {
+                // only get the first line of input and ignore the rest
+                $v = strtok(trim($v), "\r\n");
+                // if token is not found (false)
+                if ($v === false) {
+                    // then set empty string
+                    $v = '';
+                }
+                
                 $f = $tsConfPrefix . $f;
                 if ((!isset($impParams[$f]) && trim($v)) || strcmp(trim($impParams[$f]), trim($v))) {
                     $set[$f] = trim($v);
diff --git a/ext_emconf.php b/ext_emconf.php
@@ -15,7 +15,7 @@
     'description' => 'Advanced Direct Mail/Newsletter mailer system with sophisticated options for personalization of emails including response statistics.',
     'category' => 'module',
     'shy' => 0,
-    'version' => '6.0.2',
+    'version' => '6.0.3',
     'dependencies' => 'cms,tt_address',
     'conflicts' => 'sr_direct_mail_ext,it_dmail_fix,plugin_mgm,direct_mail_123',
     'priority' => '',
