# HG changeset patch
# User Dan
# Date 1200721672 18000
# Node ID a9a3789ce02dd8c1aac345f9dee1dbcd1ef84b8b
# Parent  27f5ac58992c4e994737357d95bf7595914d1d29
Not sure if $taboo was getting sanitized or not. Possibly an SQL injection vulnerability that allows maliciously crafted group names to inject SQL at a later date when the group CP is loaded. Unconfirmed, theoretical fix.

diff -r 27f5ac58992c -r a9a3789ce02d plugins/SpecialGroups.php
--- a/plugins/SpecialGroups.php	Fri Jan 18 10:35:33 2008 -0500
+++ b/plugins/SpecialGroups.php	Sat Jan 19 00:47:52 2008 -0500
@@ -502,7 +502,8 @@
       echo '<select name="group_id">';
       foreach ( $session->groups as $id => $group )
       {
-        $taboo[] = $group;
+        $taboo[] = $db->escape($group);
+        $group = htmlspecialchars($group);
         if ( $group != 'Everyone' )
         {
           echo '<option value="' . $id . '">' . $group . '</option>';