[SM-CVS] SF.net SVN: squirrelmail:[15038] trunk/squirrelmail/f unctions/mime.php

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 15038
          http://sourceforge.net/p/squirrelmail/code/15038
Author:   pdontthink
Date:     2025-04-02 04:06:34 +0000 (Wed, 02 Apr 2025)
Log Message:
-----------
Sanitize part of a header inadvertently included as-is after processing the first part which was encoded (Thanks to yelang123 (@yelang123x) and nga990 (@nga_990)) CVE-2025-30090

Modified Paths:
--------------
    trunk/squirrelmail/functions/mime.php

Modified: trunk/squirrelmail/functions/mime.php
===================================================================

--- trunk/squirrelmail/functions/mime.php	2025-04-02 04:02:28 UTC (rev 15037)
+++ trunk/squirrelmail/functions/mime.php	2025-04-02 04:06:34 UTC (rev 15038)
@@ -963,7 +963,9 @@
             }
         }
 
-        if (!$encoded && $htmlsafe) {
+        // It is possible to slip XSS in here when a header has encoded content followed by unecoded malicious content --- this test was written long ago, but because the leftover $chunk has not been classified or handled in any way, we can't assume it is safe to include as-is.... We'll assume the person who wrote this if() would agree and didn't mean to accidentally allow such and that what they meant was the following corrected line:
+        // if (!$encoded && $htmlsafe) {
+        if ($htmlsafe) {
             $ret .= sm_encode_html_special_chars($chunk);
         } else {
             $ret .= $chunk;

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



