  |
13 | 13 | | Product Attributes SQL Injection |
| |
14 | 14 | | Resize Images To Round Numbers |
| |
15 | 15 | | Use The Correct Country Name Value When Formatting Addresses |
 |
| 16 | + | Prevent The Session ID Being Passed In Tell-A-Friend E-Mails |
|
16 | 17 | | |
| |
17 | 18 | | ## Update 051113 (13th November 2005) |
| |
18 | 19 | | |
| |
|
|
 |
… |
|
282 | 283 | | |
| |
283 | 284 | | if ($country == '') $country = tep_output_string_protected($address['country']); |
| |
284 | 285 | | |
|
| 286 | + | ------------------------------------------------------------------------------ |
| |
| 287 | + | Prevent The Session ID Being Passed In Tell-A-Friend E-Mails |
| |
| 288 | + | http://www.oscommerce.com/community/bugs,3986 |
| |
| 289 | + | http://svn.oscommerce.com/trac/changeset/715 |
| |
| 290 | + | ------------------------------------------------------------------------------ |
| |
| 291 | + | |
| |
| 292 | + | Problem: |
| |
| 293 | + | |
| |
| 294 | + | If the customer has cookies disabled their session ID may exist in the store URL used in tell-a-friend emails. |
| |
| 295 | + | |
| |
| 296 | + | Solution: |
| |
| 297 | + | |
| |
| 298 | + | The following line must be replaced in catalog/tell_a_friend.php: |
| |
| 299 | + | |
| |
| 300 | + | Line 77, from: |
| |
| 301 | + | |
| |
| 302 | + | $email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'])) . "\n\n" . |
| |
| 303 | + | |
| |
| 304 | + | to: |
| |
| 305 | + | |
| |
| 306 | + | $email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'], 'NONSSL', false)) . "\n\n" . |
| |
| 307 | + | |
|
285 | 308 | | ########################### |
| |
286 | 309 | | ###### Update 051113 ###### |
| |
287 | 310 | | ########################### |