Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.For anyone still using the tellafriend module... I've added some security enhancements:
Added the spamcheck() function which checks for any unexpected headers in the email. If found, execution is stopped and an email is sent to the address supplied by the administrator (under settings >> alert email) containing information about the possible injection attack
Added flood control with a default of 3 requests per hour. This value can be changed from the settings page. This prevents malicious users from sending bulk emails from a drupal site where tell-a-friend is enabled.
Added a restriction on the number of e-mail addresses that can be included per attempt. The default is 10, but this number can also be changed from the settings page. This prevents malicious users from exploiting tell-a-friend to send bulk emails.
Added user_access check to the tellafriend/send menu. This forces the user to be logged in before sending emails via tell-a-friend
Added code to force the user's email to be the email that the user signed up with. Also added code that will find the user's name in civiCRM, *IF* civiCRM is enabled. Otherwise the user will still be responsible for entering their name. These additions make it more difficult for a malicious user to falsify their name and email address when sending mail from tell-a-friend
| Comment | File | Size | Author |
|---|---|---|---|
| tellafriend.patch | 18.03 KB | axlroach |
Comments
Comment #1
thierry_gd commentedModifications taken into account in drupal 5.x version
Comment #2
(not verified) commented