The WordPress Postie plugin is a great way to simplify posting to your blog. After installing and configuring the plugin, all you need to do is send an email and it will automatically post to the blog. Postie has many nice features.
The recently released v1.4.4 includes a fix to avoid XSS attacks. It appears that the fix is a little aggressive and blocks all base64 attachments. Many email client applications encode attachments (pdf, etc) as base64, and Postie v1.4.4 is now blocking base64 attachments.
Here is the fix:
- Open ./wp-content/plugins/postie/get_mail.php
- Go to line 36, you will see
- Go to line 36, you will see
// check for XSS attacks - we disallow any javascript, meta, onload, or base64
if (preg_match("/.*(script|onload|meta|base64).*/is", $email)) {
echo "possible XSS attack - ignoring email\n";
continue;
}
- On line 37, remove "|base64" so it looks like this:
// check for XSS attacks - we disallow any javascript, meta, onload, or base64
if (preg_match("/.*(script|onload|meta).*/is", $email)) {
echo "possible XSS attack - ignoring email\n";
continue;
}
- Save the file (make sure to upload the change if you are modifying the file on your local machine)
With that fix, the attachments come through as expected.
Did what you recommended - nothing changed.
ReplyDeleteRemoved complete XXS attacks section - works fine.
Too dangerous?
Klaus