diff options
| author | Paul Arthur <paul.arthur@flowerysong.com> | 2012-09-20 12:50:54 -0400 |
|---|---|---|
| committer | Paul Arthur <paul.arthur@flowerysong.com> | 2012-09-20 12:50:54 -0400 |
| commit | 9c09b33e955c345d6c2ec352e6fba572b5784ab5 (patch) | |
| tree | 19f7fbea328ce9bfaeea18bb18f7e86307dedf56 | |
| parent | 2f8656a20c7ba0eb523ecd8987e343f819e22f5a (diff) | |
| download | ampache-9c09b33e955c345d6c2ec352e6fba572b5784ab5.tar.gz ampache-9c09b33e955c345d6c2ec352e6fba572b5784ab5.tar.bz2 ampache-9c09b33e955c345d6c2ec352e6fba572b5784ab5.zip | |
FS#248 - Sending Mail with quotes
Don't run scrub_in on the subject and body; it's not touching the
database or being output back to the browser, and we send plain text
email. Anything malicious that can be done is a phpmailer bug.
| -rw-r--r-- | admin/mail.php | 4 | ||||
| -rwxr-xr-x | docs/CHANGELOG | 1 |
2 files changed, 3 insertions, 2 deletions
diff --git a/admin/mail.php b/admin/mail.php index 595abab7..2f2b90d0 100644 --- a/admin/mail.php +++ b/admin/mail.php @@ -52,8 +52,8 @@ switch ($_REQUEST['action']) { $mailer = new AmpacheMail(); // Set the vars on the object - $mailer->subject = scrub_in($_REQUEST['subject']); - $mailer->message = scrub_in($_REQUEST['message']); + $mailer->subject = $_REQUEST['subject']; + $mailer->message = $_REQUEST['message']; if ($_REQUEST['from'] == 'system') { $mailer->set_default_sender(); diff --git a/docs/CHANGELOG b/docs/CHANGELOG index 98406cb9..ffd6f88f 100755 --- a/docs/CHANGELOG +++ b/docs/CHANGELOG @@ -4,6 +4,7 @@ -------------------------------------------------------------------------- v.3.6-future + - Removed HTML entity encoding of plaintext email (reported by USMC Guy) - Fixed a search issue which prevented the use of multiple tag rules (reported by Istarion) - Fixed ASF tag parsing regression (reported by cygn) |