--CRM-16906, applied Joe's commit https://github.com/civicrm/civicrm-core/commit...

author Pradeep Nayak <pradpnayak@gmail.com>

Tue, 25 Aug 2015 20:45:58 +0000 (02:15 +0530)

committer Pradeep Nayak <pradpnayak@gmail.com>

Wed, 9 Sep 2015 09:35:00 +0000 (15:05 +0530)
author Pradeep Nayak <pradpnayak@gmail.com>
Tue, 25 Aug 2015 20:45:58 +0000 (02:15 +0530)
committer Pradeep Nayak <pradpnayak@gmail.com>
Wed, 9 Sep 2015 09:35:00 +0000 (15:05 +0530)
diff --git a/CRM/Campaign/BAO/Petition.php b/CRM/Campaign/BAO/Petition.php

index bb952463e14e22cecba83b2dbd14edff69f4cf8a..55f411550c9b73b8873e87915352941aef82bdb1 100644 (file)
--- a/CRM/Campaign/BAO/Petition.php
+++ b/CRM/Campaign/BAO/Petition.php
@@ -267,15 +267,21 @@ AND         tag_id = ( SELECT id FROM civicrm_tag WHERE name = %2 )";
        2 => array($tag_name, 'String'),
      );
      CRM_Core_DAO::executeQuery($sql, $params);
-
-    // set permanent cookie to indicate this users email address now confirmed
-    setcookie("confirmed_{$petition_id}",
-      $activity_id,
-      time() + $this->cookieExpire,
-      '/'
-    );
-
-    return TRUE;
+    // validate arguments to setcookie are numeric to prevent header manipulation
+    if (isset($petition_id) && is_numeric($petition_id)
+      && isset($activity_id) && is_numeric($activity_id)) {
+      // set permanent cookie to indicate this users email address now confirmed
+      setcookie("confirmed_{$petition_id}",
+        $activity_id,
+        time() + $this->cookieExpire,
+        '/'
+      );
+      return TRUE;
+    }
+    else {
+      // TODO: raise an error?
+      return FALSE;
+    }
    }
  
    /**
author	Pradeep Nayak <pradpnayak@gmail.com>
	Tue, 25 Aug 2015 20:45:58 +0000 (02:15 +0530)
committer	Pradeep Nayak <pradpnayak@gmail.com>
	Wed, 9 Sep 2015 09:35:00 +0000 (15:05 +0530)