[Security] prevent user to input multiline value

kartolo · kartolo · commit 1c69f4b88f10 · 2023-11-24T20:29:14.000+01:00
Since the configuration module write the value as tsconfig in the sysfolder,
it was possible for user to send multiline value through the module. This fix will
ignore multiline value and only saves first line as tsconfig value
diff --git a/Classes/DirectMailUtility.php b/Classes/DirectMailUtility.php
@@ -1625,6 +1625,14 @@ public static function updatePagesTSconfig($id, array $pageTs, $tsConfPrefix, $i
             }
             $set = array();
             foreach ($pageTs as $f => $v) {
+                // only get the first line of input and ignore the rest
+                $v = strtok(trim($v), "\r\n");
+                // if token is not found (false)
+                if ($v === false) {
+                    // then set empty string
+                    $v = '';
+                }
+                
                 $f = $tsConfPrefix . $f;
                 if ((!isset($impParams[$f]) && trim($v)) || strcmp(trim($impParams[$f]), trim($v))) {
                     $set[$f] = trim($v);
diff --git a/ext_emconf.php b/ext_emconf.php
@@ -15,7 +15,7 @@
     'description' => 'Advanced Direct Mail/Newsletter mailer system with sophisticated options for personalization of emails including response statistics.',
     'category' => 'module',
     'shy' => 0,
-    'version' => '6.0.2',
+    'version' => '6.0.3',
     'dependencies' => 'cms,tt_address',
     'conflicts' => 'sr_direct_mail_ext,it_dmail_fix,plugin_mgm,direct_mail_123',
     'priority' => '',
