Postie & SQL Injection
December 8th, 2006 | Blogging | SetupI love the ability to blog by email, because writing an email allow me to think in conversational tones (after years of living by emails, I am conditioned this way), and I do not quite have the same feel with blogging yet, so I am quite happy when Postie works for me (see this article for my experience of setting up Postie).
Now - it appears that the latest Postie has a bug - it does not escape the subject line for single quotes (and also does not generate a post - you might wander if your email is lost until you decide to investigate) - this type of bug is the cause of a security threat called SQL injection. IMHO, the best place to ensure such escaping is done is in the data access layer ( e.g., mysql_query, etc.), however, it appears that with php & wordpress the philosophy is that it is up to the plugin author to handle the escaping.
So if you are using Postie, make sure you change the postie-functions.php function with the following patch.
— postie-functions.php 2006-12-08 01:29:06.578125000 -0800
+++ postie-functions.php.new 2006-12-08 01:29:20.890625000 -0800
@@ -53,7 +53,7 @@ function PostEmail($poster,$mimeDecodedE
‘post_date’ => $post_date,
‘post_date_gmt’ => $post_date_gmt,
‘post_content’ => preg_replace(”/’/”,”\’”,$content),
- ‘post_title’ => $subject,
+ ‘post_title’ => preg_replace(”/’/”,”\’”,$subject),
‘post_modified’ => $post_date,
‘post_modified_gmt’ => $post_date_gmt,
‘ping_status’ => get_settings(’default_ping_status’),That will solve the problem, until Postie has this as official patch.
Comments
Digg This!
Reddit!
Del.icio.us!