SF.net SVN: postfixadmin:[1810] branches/postfixadmin-2.3

[<chr...@us...>]

Revision: 1810
          http://sourceforge.net/p/postfixadmin/code/1810
Author:   christian_boltz
Date:     2015-10-02 17:48:42 +0000 (Fri, 02 Oct 2015)
Log Message:
-----------
functions.inc.php:
- gen_show_status(): escape mail addresses in query.
  Fixes https://sourceforge.net/p/postfixadmin/bugs/356/
  (mostly - the edit/delete/... links in list-virtual are double-escaped)
  In theory this could allow SQL injection, in practise the mail address
  regex limits this issue to a DOS (creating a mail address with ' caused
  an invalid query that broke list-virtual)

Modified Paths:
--------------
    branches/postfixadmin-2.3/CHANGELOG.TXT
    branches/postfixadmin-2.3/functions.inc.php

Modified: branches/postfixadmin-2.3/CHANGELOG.TXT
===================================================================
--- branches/postfixadmin-2.3/CHANGELOG.TXT	2015-10-02 17:45:16 UTC (rev 1809)
+++ branches/postfixadmin-2.3/CHANGELOG.TXT	2015-10-02 17:48:42 UTC (rev 1810)
@@ -15,6 +15,7 @@
   - fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311)
   - don't prefill username in users/ login on failed logins - fixes (probably
     harmless) XSS
+  - fix show_gen_status() to properly escape mail addresses in query (#356)
   - allow MariaDB in Debian package dependencies
 
 Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch)

Modified: branches/postfixadmin-2.3/functions.inc.php
===================================================================
--- branches/postfixadmin-2.3/functions.inc.php	2015-10-02 17:45:16 UTC (rev 1809)
+++ branches/postfixadmin-2.3/functions.inc.php	2015-10-02 17:48:42 UTC (rev 1810)
@@ -2201,9 +2201,9 @@
             if (!empty($CONF['recipient_delimiter'])) {
                 $delimiter = preg_quote($CONF['recipient_delimiter'], "/");
                 $stat_delimiter = preg_replace('/' .$delimiter. '[^' .$delimiter. ']*@/', "@", $g);
-                $stat_delimiter = "OR address = '$stat_delimiter'";
+                $stat_delimiter = "OR address = '" . escape_string($stat_delimiter) . "'";
             }
-            $stat_result = db_query ("SELECT address FROM $table_alias WHERE address = '$g' OR address = '$stat_catchall' $stat_delimiter");
+            $stat_result = db_query ("SELECT address FROM $table_alias WHERE address = '" . escape_string($g) . "' OR address = '" . escape_string($stat_catchall) . "' $stat_delimiter");
             if ($stat_result['rows'] == 0)
             {
                 $stat_ok = 0;

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.