From 95c5359666f6dae7d0426f0a1fc41c925b996086 Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Sat, 8 Dec 2018 14:13:54 +0000 Subject: [PATCH] Improved cron.php security-wise with a more specific sql. --- WEB-INF/templates/footer.tpl | 2 +- cron.php | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index bf2c3a05..9c086022 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.18.29.4610 | Copyright © Anuko | +  Anuko Time Tracker 1.18.29.4611 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/cron.php b/cron.php index eabcaa05..98c1456f 100644 --- a/cron.php +++ b/cron.php @@ -47,10 +47,10 @@ import('ttReportHelper'); $mdb2 = getConnection(); $now = time(); - $sql = "select c.id, c.cron_spec, c.report_id, c.email, c.cc, c.subject, c.report_condition from tt_cron c - left join tt_fav_reports fr on (c.report_id = fr.id) - where $now >= c.next and fr.status = 1 - and c.status = 1 and c.report_id is not null and c.email is not null"; + $sql = "select c.id, c.cron_spec, c.report_id, c.email, c.cc, c.subject, c.report_condition from tt_cron c". + " inner join tt_fav_reports fr on (c.report_id = fr.id and c.group_id = fr.group_id and c.org_id = fr.org_id)". + " where $now >= c.next and fr.status = 1". + " and c.status = 1 and c.report_id is not null and c.email is not null"; $res = $mdb2->query($sql); if (is_a($res, 'PEAR_Error')) exit(); -- 2.20.1