From: Thijs K. <ki...@us...> - 2005-06-15 21:12:53
|
Update of /cvsroot/squirrelmail/squirrelmail/src In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv32199/src Modified Files: Tag: SM-1_4-STABLE addressbook.php printer_friendly_bottom.php right_main.php Log Message: Fix serveral cross site scripting bugs found by Martijn Brinkers and ourselves. Part 1/2, patch to magicHTML will follow. This is CAN-2005-1769. Index: addressbook.php =================================================================== RCS file: /cvsroot/squirrelmail/squirrelmail/src/addressbook.php,v retrieving revision 1.58.2.19 retrieving revision 1.58.2.20 diff -u -w -r1.58.2.19 -r1.58.2.20 --- addressbook.php 8 Mar 2005 16:53:29 -0000 1.58.2.19 +++ addressbook.php 15 Jun 2005 21:12:04 -0000 1.58.2.20 @@ -282,7 +282,7 @@ html_tag( 'tr', html_tag( 'td', "\n". '<strong><font color="' . $color[2] . - '">' . _("ERROR") . ': ' . $abook->error . '</font></strong>' ."\n", + '">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '</font></strong>' ."\n", 'center' ) ), 'center', '', 'width="100%"' ); @@ -336,7 +336,7 @@ html_tag( 'tr', html_tag( 'td', "\n". '<br /><strong><font color="' . $color[2] . - '">' . _("ERROR") . ': ' . $formerror . '</font></strong>' ."\n", + '">' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '</font></strong>' ."\n", 'center' ) ), 'center', '', 'width="100%"' ); @@ -348,6 +348,7 @@ /* Get and sort address list */ $alist = $abook->list_addr(); if(!is_array($alist)) { + $abook_error = htmlspecialchars($abook_error); plain_error_message($abook->error, $color); exit; } Index: printer_friendly_bottom.php =================================================================== RCS file: /cvsroot/squirrelmail/squirrelmail/src/printer_friendly_bottom.php,v retrieving revision 1.29.2.6 retrieving revision 1.29.2.7 diff -u -w -r1.29.2.6 -r1.29.2.7 --- printer_friendly_bottom.php 28 Dec 2004 13:02:49 -0000 1.29.2.6 +++ printer_friendly_bottom.php 15 Jun 2005 21:12:05 -0000 1.29.2.7 @@ -33,7 +33,8 @@ sqgetGlobalVar('passed_id', $passed_id, SQ_GET); sqgetGlobalVar('mailbox', $mailbox, SQ_GET); -if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) ) { +if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) || + ! preg_match('/^\d+(\.\d+)*$/', $passed_ent_id) ) { $passed_ent_id = ''; } /* end globals */ Index: right_main.php =================================================================== RCS file: /cvsroot/squirrelmail/squirrelmail/src/right_main.php,v retrieving revision 1.104.2.8 retrieving revision 1.104.2.9 diff -u -w -r1.104.2.8 -r1.104.2.9 --- right_main.php 27 Dec 2004 15:04:00 -0000 1.104.2.8 +++ right_main.php 15 Jun 2005 21:12:05 -0000 1.104.2.9 @@ -165,7 +165,7 @@ do_hook('right_main_after_header'); if (isset($note)) { - echo html_tag( 'div', '<b>' . $note .'</b>', 'center' ) . "<br />\n"; + echo html_tag( 'div', '<b>' . htmlspecialchars($note) .'</b>', 'center' ) . "<br />\n"; } if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) { |