From: Dave M. <da...@an...> - 2011-10-24 17:52:09
|
Squirrelmail version: 1.5.2 (20111024_0200-SVN) Every plugin installed: $plugins[] = 'cmumenuline'; (written here) $plugins[] = 'compose_extras'; $plugins[] = 'useracl'; $plugins[] = 'check_quota'; $plugins[] = 'add_address'; $plugins[] = 'cmuldapdefault'; (written here) $plugins[] = 'ldapquery'; $plugins[] = 'message_details'; PHP version: 5.2.6 Web server: Apache 1.3.39 IMAP server: Cyrus 2.4.x SMTP server: sendmail 8.14.4 OS: Linux, based on fc3 Details about the bug: From the message view, if you click the "Forward" button, then click the "Addresses" button to add an address, the body of the message will corrupt the addressbook view due to the "body" hidden field not being escaped. The following patch resolves this issue: --- src/addrbook_search_html.php.orig 2011-10-24 13:27:42.000000000 -0400 +++ src/addrbook_search_html.php 2011-10-24 13:35:13.000000000 -0400 @@ -47,9 +47,9 @@ //FIXME Do not echo HTML from the core. This file already uses templates mostly, so why are we echoing here at all?!? if (substr($body, 0, 1) == "\r") { - echo addHidden('body', "\n".$body); + echo addHidden('body', "\n".htmlspecialchars($body)); } else { - echo addHidden('body', $body); + echo addHidden('body', htmlspecialchars($body)); } if (is_object($composeMessage) && $composeMessage->entities) |
From: Paul L. <pa...@sq...> - 2011-11-15 01:50:14
|
Hi Dave, sorry for the delay. On Mon, Oct 24, 2011 at 10:52 AM, Dave McMurtrie <da...@an...> wrote: > Squirrelmail version: 1.5.2 (20111024_0200-SVN) > > Every plugin installed: > > $plugins[] = 'cmumenuline'; (written here) > $plugins[] = 'compose_extras'; > $plugins[] = 'useracl'; > $plugins[] = 'check_quota'; > $plugins[] = 'add_address'; > $plugins[] = 'cmuldapdefault'; (written here) > $plugins[] = 'ldapquery'; > $plugins[] = 'message_details'; > > PHP version: 5.2.6 > > Web server: Apache 1.3.39 > > IMAP server: Cyrus 2.4.x > > SMTP server: sendmail 8.14.4 > > OS: Linux, based on fc3 > > Details about the bug: > > From the message view, if you click the "Forward" button, then click > the "Addresses" button to add an address, the body of the message will > corrupt the addressbook view due to the "body" hidden field not being > escaped. > > The following patch resolves this issue: This was fixed in September - looks like you're using a version from October. The "better" fix is in templates/default/input.tpl, although even that fix isn't ideal in the long term. Here's the commit you'd need if you don't want to install a new snapshot. http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14145 > --- src/addrbook_search_html.php.orig 2011-10-24 13:27:42.000000000 -0400 > +++ src/addrbook_search_html.php 2011-10-24 13:35:13.000000000 -0400 > @@ -47,9 +47,9 @@ > > //FIXME Do not echo HTML from the core. This file already uses > templates mostly, so why are we echoing here at all?!? > if (substr($body, 0, 1) == "\r") { > - echo addHidden('body', "\n".$body); > + echo addHidden('body', "\n".htmlspecialchars($body)); > } else { > - echo addHidden('body', $body); > + echo addHidden('body', htmlspecialchars($body)); > } > > if (is_object($composeMessage) && $composeMessage->entities) -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: Paul L. <pa...@sq...> - 2011-11-15 02:06:42
|
On Mon, Nov 14, 2011 at 5:49 PM, Paul Lesniewski <pa...@sq...> wrote: > Hi Dave, sorry for the delay. > > On Mon, Oct 24, 2011 at 10:52 AM, Dave McMurtrie <da...@an...> wrote: >> Squirrelmail version: 1.5.2 (20111024_0200-SVN) >> >> Every plugin installed: >> >> $plugins[] = 'cmumenuline'; (written here) >> $plugins[] = 'compose_extras'; >> $plugins[] = 'useracl'; >> $plugins[] = 'check_quota'; >> $plugins[] = 'add_address'; >> $plugins[] = 'cmuldapdefault'; (written here) >> $plugins[] = 'ldapquery'; >> $plugins[] = 'message_details'; >> >> PHP version: 5.2.6 >> >> Web server: Apache 1.3.39 >> >> IMAP server: Cyrus 2.4.x >> >> SMTP server: sendmail 8.14.4 >> >> OS: Linux, based on fc3 >> >> Details about the bug: >> >> From the message view, if you click the "Forward" button, then click >> the "Addresses" button to add an address, the body of the message will >> corrupt the addressbook view due to the "body" hidden field not being >> escaped. >> >> The following patch resolves this issue: > > This was fixed in September - looks like you're using a version from > October. Ha! I forgot September comes before October. :-) Do you use a custom template set? Can you please check your copy of templates/default/input.tpl? > The "better" fix is in templates/default/input.tpl, although > even that fix isn't ideal in the long term. Here's the commit you'd > need if you don't want to install a new snapshot. > > http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14145 > >> --- src/addrbook_search_html.php.orig 2011-10-24 13:27:42.000000000 -0400 >> +++ src/addrbook_search_html.php 2011-10-24 13:35:13.000000000 -0400 >> @@ -47,9 +47,9 @@ >> >> //FIXME Do not echo HTML from the core. This file already uses >> templates mostly, so why are we echoing here at all?!? >> if (substr($body, 0, 1) == "\r") { >> - echo addHidden('body', "\n".$body); >> + echo addHidden('body', "\n".htmlspecialchars($body)); >> } else { >> - echo addHidden('body', $body); >> + echo addHidden('body', htmlspecialchars($body)); >> } >> >> if (is_object($composeMessage) && $composeMessage->entities) > > -- > Paul Lesniewski > SquirrelMail Team > Please support Open Source Software by donating to SquirrelMail! > http://squirrelmail.org/donate_paul_lesniewski.php > -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: Dave M. <da...@an...> - 2011-11-15 12:16:57
|
On 11/14/2011 08:49 PM, Paul Lesniewski wrote: > Hi Dave, sorry for the delay. No worries! ...snipped... >> The following patch resolves this issue: > > This was fixed in September - looks like you're using a version from > October. The "better" fix is in templates/default/input.tpl, although > even that fix isn't ideal in the long term. Here's the commit you'd > need if you don't want to install a new snapshot. > > http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14145 Ugh! This is my fault. I'm actually running a slightly older version in production and I had to fix a couple bugs along the way when we first put it into production. I finally got the time to start going through and reporting some of the bugs I fixed, so I just grabbed the latest code and started to do diffs. Since I saw that the code in addrbook_search_html.php hadn't changed, I assumed the same bug still existed. I think I still have a couple others to report. Shall I do so with the same disclaimer as above? Or would you rather wait until I can actually get the latest code up and running to actually verify the bugs still exist before submitting my patches? Sorry for the false alarm :( Thanks! Dave |