Improved cron.php security-wise with a more specific sql.

diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index bf2c3a0..9c08602 100644 (file)
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.18.29.4610 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.18.29.4611 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>

diff --git a/cron.php b/cron.php
index eabcaa0..98c1456 100644 (file)
--- a/cron.php
+++ b/cron.php
@@ -47,10 +47,10 @@ import('ttReportHelper');
 $mdb2 = getConnection();
 $now = time();
 
- $sql = "select c.id, c.cron_spec, c.report_id, c.email, c.cc, c.subject, c.report_condition from tt_cron c
-   left join tt_fav_reports fr on (c.report_id = fr.id)
-   where $now >= c.next and fr.status = 1
-   and c.status = 1 and c.report_id is not null and c.email is not null";
+ $sql = "select c.id, c.cron_spec, c.report_id, c.email, c.cc, c.subject, c.report_condition from tt_cron c".
+   " inner join tt_fav_reports fr on (c.report_id = fr.id and c.group_id = fr.group_id and c.org_id = fr.org_id)".
+   " where $now >= c.next and fr.status = 1".
+   " and c.status = 1 and c.report_id is not null and c.email is not null";
 $res = $mdb2->query($sql);
 if (is_a($res, 'PEAR_Error'))
   exit();