Only in squirrelmail-1.4.4/config: config.php
diff -uwr squirrelmail-1.4.4.orig/functions/addressbook.php squirrelmail-1.4.4/functions/addressbook.php
--- squirrelmail-1.4.4.orig/functions/addressbook.php Mon Dec 27 16:03:42 2004
+++ squirrelmail-1.4.4/functions/addressbook.php Thu Jun 9 15:37:27 2005
@@ -108,7 +108,7 @@
if (!$r && $showerr) {
printf( ' ' . _("Error initializing LDAP server %s:") .
"
\n", $param['host']);
- echo ' ' . $abook->error;
+ echo ' ' . htmlspecialchars($abook->error);
exit;
}
}
@@ -239,7 +239,7 @@
if (is_array($res)) {
$ret = array_merge($ret, $res);
} else {
- $this->error .= "
\n" . $backend->error;
+ $this->error .= "\n" . $backend->error;
$failed++;
}
}
@@ -255,7 +255,7 @@
$ret = $this->backends[$bnum]->search($expression);
if (!is_array($ret)) {
- $this->error .= "
\n" . $this->backends[$bnum]->error;
+ $this->error .= "\n" . $this->backends[$bnum]->error;
$ret = FALSE;
}
}
diff -uwr squirrelmail-1.4.4.orig/functions/mime.php squirrelmail-1.4.4/functions/mime.php
--- squirrelmail-1.4.4.orig/functions/mime.php Mon Jan 10 19:52:48 2005
+++ squirrelmail-1.4.4/functions/mime.php Sun Jun 12 22:47:40 2005
@@ -847,6 +847,16 @@
/**
** HTMLFILTER ROUTINES
*/
+function sq_unbackslash($attvalue){
+ /**
+ * Remove any backslashes. See if there are any first.
+ */
+
+ if (strstr($attvalue, '\\') !== false){
+ $attvalue = stripslashes($attvalue);
+ }
+ return $attvalue;
+}
/**
* This function checks attribute values for entity-encoded values
@@ -1301,25 +1311,44 @@
* @param $hex whether the entites are hexadecimal.
* @return True or False depending on whether there were matches.
*/
-function sq_deent(&$attvalue, $regex, $hex=false){
+function sq_deent($attvalue){
$me = 'sq_deent';
- $ret_match = false;
- preg_match_all($regex, $attvalue, $matches);
- if (is_array($matches) && sizeof($matches[0]) > 0){
- $repl = Array();
- for ($i = 0; $i < sizeof($matches[0]); $i++){
- $numval = $matches[1][$i];
- if ($hex){
- $numval = hexdec($numval);
+ /**
+ * See if we have to run the checks first. All entities must start
+ * with "&".
+ */
+ if (strpos($attvalue, '&') === false){
+ return $attvalue;
}
- $repl{$matches[0][$i]} = chr($numval);
+ /**
+ * Check named entities first.
+ */
+ $trans = get_html_translation_table(HTML_ENTITIES);
+ /**
+ * Leave " in, as it can mess us up.
+ */
+ $trans = array_flip($trans);
+ unset($trans{'"'});
+ while (list($ent, $val) = each($trans)){
+ $attvalue = preg_replace('/' . $ent . '*/si', $val, $attvalue);
}
- $attvalue = strtr($attvalue, $repl);
- return true;
- } else {
- return false;
+ /**
+ * Now translate numbered entities from 1 to 255 if needed.
+ */
+ if (strpos($attvalue, '#') !== false){
+ $omit = Array(34, 39);
+ for ($asc = 256; $asc >= 0; $asc--){
+ if (!in_array($asc, $omit)){
+ $chr = chr($asc);
+ $octrule = '/\*' . $asc . ';*/si';
+ $hexrule = '/\*' . dechex($asc) . ';*/si';
+ $attvalue = preg_replace($octrule, $chr, $attvalue);
+ $attvalue = preg_replace($hexrule, $chr, $attvalue);
}
}
+ }
+ return $attvalue;
+}
/**
* This function runs various checks against the attributes.
@@ -1436,27 +1465,52 @@
/**
* Fix url('blah') declarations.
*/
- $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
- "url(\\1$secremoveimg\\2)", $content);
+ // remove NUL
+ $content = str_replace("\0", "", $content);
+ // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
+ while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) {
+ $sProto = strtolower($matches[1]);
+ switch ($sProto) {
/**
* Fix url('https*://.*) declarations but only if $view_unsafe_images
* is false.
*/
+ case 'https':
+ case 'http':
if (!$view_unsafe_images){
$content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si",
- "url(\\1$secremoveimg\\2)", $content);
+ "u\0r\0l(\\1$secremoveimg\\2)", $content);
}
-
+ break;
/**
* Fix urls that refer to cid:
*/
- while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si",
- $content, $matches)){
- $cidurl = $matches{1};
+ case 'cid':
+ $cidurl = 'cid:'. $matches[2];
$httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
$content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si",
- "url($httpurl)", $content);
+ "u\0r\0l($httpurl)", $content);
+ break;
+ default:
+ /**
+ * replace url with protocol other then the white list
+ * http,https and cid by an empty string.
+ */
+ $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si",
+ "", $content);
+ break;
+ }
+ break;
}
+ // remove NUL
+ $content = str_replace("\0", "", $content);
+
+ /**
+ * Remove any backslashes, entities, and extraneous whitespace.
+ */
+ $contentTemp = sq_unbackslash($content);
+ $contentTemp = sq_deent($contentTemp);
+ $contentTemp = sq_unspace($contentTemp);
/**
* Fix stupid css declarations which lead to vulnerabilities
@@ -1467,7 +1521,12 @@
'/binding/i',
'/include-source/i');
$replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');
- $content = preg_replace($match, $replace, $content);
+ $contentNew = preg_replace($match, $replace, $contentTemp);
+ if ($contentNew !== $contentTemp) {
+ // insecure css declarations are used. From now on we don't care
+ // anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash
+ $content = $contentNew;
+ }
return array($content, $newpos);
}
@@ -1754,7 +1813,8 @@
"embed",
"title",
"frameset",
- "xml"
+ "xml",
+ "xmp"
);
$self_closing_tags = Array(
diff -uwr squirrelmail-1.4.4.orig/functions/page_header.php squirrelmail-1.4.4/functions/page_header.php
--- squirrelmail-1.4.4.orig/functions/page_header.php Mon Dec 27 22:08:58 2004
+++ squirrelmail-1.4.4/functions/page_header.php Thu Jun 9 15:33:05 2005
@@ -275,6 +275,7 @@
: html_tag( 'td', '', 'left' ) )
. "\n";
$urlMailbox = urlencode($mailbox);
+ $startMessage = (int)$startMessage;
echo makeComposeLink('src/compose.php?mailbox='.$urlMailbox.'&startMessage='.$startMessage);
echo " \n";
displayInternalLink ('src/addressbook.php', _("Addresses"));
diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/calendar.php squirrelmail-1.4.4/plugins/calendar/calendar.php
--- squirrelmail-1.4.4.orig/plugins/calendar/calendar.php Mon Dec 27 16:03:49 2004
+++ squirrelmail-1.4.4/plugins/calendar/calendar.php Thu Jun 9 15:33:05 2005
@@ -29,16 +29,16 @@
/* get globals */
-if (isset($_GET['month'])) {
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-if (isset($_GET['year'])) {
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-if (isset($_POST['year'])) {
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
/* got 'em */
diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/day.php squirrelmail-1.4.4/plugins/calendar/day.php
--- squirrelmail-1.4.4.orig/plugins/calendar/day.php Mon Dec 27 16:03:49 2004
+++ squirrelmail-1.4.4/plugins/calendar/day.php Thu Jun 9 15:33:05 2005
@@ -29,22 +29,22 @@
require_once(SM_PATH . 'functions/html.php');
/* get globals */
-if (isset($_GET['year'])) {
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-elseif (isset($_POST['year'])) {
+elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-if (isset($_GET['month'])) {
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-elseif (isset($_POST['month'])) {
+elseif (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
-if (isset($_GET['day'])) {
+if (isset($_GET['day']) && is_numeric($_GET['day'])) {
$day = $_GET['day'];
}
-elseif (isset($_POST['day'])) {
+elseif (isset($_POST['day']) && is_numeric($_POST['day'])) {
$day = $_POST['day'];
}
diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/event_create.php squirrelmail-1.4.4/plugins/calendar/event_create.php
--- squirrelmail-1.4.4.orig/plugins/calendar/event_create.php Mon Dec 27 16:03:49 2004
+++ squirrelmail-1.4.4/plugins/calendar/event_create.php Thu Jun 9 15:33:05 2005
@@ -29,40 +29,40 @@
/* get globals */
-if (isset($_POST['year'])) {
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-elseif (isset($_GET['year'])) {
+elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
-elseif (isset($_GET['month'])) {
+elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-if (isset($_POST['day'])) {
+if (isset($_POST['day']) && is_numeric($_POST['day'])) {
$day = $_POST['day'];
}
-elseif (isset($_GET['day'])) {
+elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
$day = $_GET['day'];
}
-if (isset($_POST['hour'])) {
+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
$hour = $_POST['hour'];
}
-elseif (isset($_GET['hour'])) {
+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
$hour = $_GET['hour'];
}
-if (isset($_POST['event_hour'])) {
+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
$event_hour = $_POST['event_hour'];
}
-if (isset($_POST['event_minute'])) {
+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
$event_minute = $_POST['event_minute'];
}
-if (isset($_POST['event_length'])) {
+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
$event_length = $_POST['event_length'];
}
-if (isset($_POST['event_priority'])) {
+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
$event_priority = $_POST['event_priority'];
}
if (isset($_POST['event_title'])) {
diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php squirrelmail-1.4.4/plugins/calendar/event_edit.php
--- squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php Mon Dec 27 16:03:49 2004
+++ squirrelmail-1.4.4/plugins/calendar/event_edit.php Thu Jun 9 15:33:05 2005
@@ -33,22 +33,22 @@
if (isset($_POST['updated'])) {
$updated = $_POST['updated'];
}
-if (isset($_POST['event_year'])) {
+if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) {
$event_year = $_POST['event_year'];
}
-if (isset($_POST['event_month'])) {
+if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) {
$event_month = $_POST['event_month'];
}
-if (isset($_POST['event_day'])) {
+if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) {
$event_day = $_POST['event_day'];
}
-if (isset($_POST['event_hour'])) {
+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
$event_hour = $_POST['event_hour'];
}
-if (isset($_POST['event_minute'])) {
+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
$event_minute = $_POST['event_minute'];
}
-if (isset($_POST['event_length'])) {
+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
$event_length = $_POST['event_length'];
}
if (isset($_POST['event_title'])) {
@@ -60,40 +60,40 @@
if (isset($_POST['send'])) {
$send = $_POST['send'];
}
-if (isset($_POST['event_priority'])) {
+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
$event_priority = $_POST['event_priority'];
}
if (isset($_POST['confirmed'])) {
$confirmed = $_POST['confirmed'];
}
-if (isset($_POST['year'])) {
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-elseif (isset($_GET['year'])) {
+elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
-elseif (isset($_GET['month'])) {
+elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-if (isset($_POST['day'])) {
+if (isset($_POST['day']) && is_numeric($_POST['day'])) {
$day = $_POST['day'];
}
-elseif (isset($_GET['day'])) {
+elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
$day = $_GET['day'];
}
-if (isset($_POST['hour'])) {
+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
$hour = $_POST['hour'];
}
-elseif (isset($_GET['hour'])) {
+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
$hour = $_GET['hour'];
}
-if (isset($_POST['minute'])) {
+if (isset($_POST['minute']) && is_numeric($_POST['minute'])) {
$minute = $_POST['minute'];
}
-elseif (isset($_GET['minute'])) {
+elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) {
$minute = $_GET['minute'];
}
/* got 'em */
diff -uwr squirrelmail-1.4.4.orig/plugins/filters/options.php squirrelmail-1.4.4/plugins/filters/options.php
--- squirrelmail-1.4.4.orig/plugins/filters/options.php Mon Dec 27 16:03:57 2004
+++ squirrelmail-1.4.4/plugins/filters/options.php Sun Jun 12 22:35:35 2005
@@ -189,7 +189,7 @@
html_tag( 'td', '', 'left' ) .
''.
''.
diff -uwr squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php squirrelmail-1.4.4/plugins/filters/spamoptions.php
--- squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php Mon Dec 27 16:03:57 2004
+++ squirrelmail-1.4.4/plugins/filters/spamoptions.php Sun Jun 12 22:36:03 2005
@@ -199,7 +199,7 @@
echo html_tag( 'p', '', 'center' ) .
'[' . _("Edit") . ']' .
' - [' . _("Done") . ']
';
- printf( _("Spam is sent to %s."), ($filters_spam_folder?''.imap_utf7_decode_local($filters_spam_folder).'':'['._("not set yet").']' ) );
+ printf( _("Spam is sent to %s."), ($filters_spam_folder?''.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'':'['._("not set yet").']' ) );
echo '
';
printf( _("Spam scan is limited to %s."), '' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '' );
echo '
' - . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), ''.$dsp_string.'', ''._($lang_default).'') + . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), ''.$dsp_string.'', ''._(htmlspecialchars($lang_default)).'') . '
'; } else { /** diff -uwr squirrelmail-1.4.4.orig/src/addressbook.php squirrelmail-1.4.4/src/addressbook.php --- squirrelmail-1.4.4.orig/src/addressbook.php Mon Dec 27 16:03:59 2004 +++ squirrelmail-1.4.4/src/addressbook.php Thu Jun 9 15:34:15 2005 @@ -279,7 +279,7 @@ html_tag( 'tr', html_tag( 'td', "\n". '' . _("ERROR") . ': ' . $abook->error . '' ."\n", + '">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '' ."\n", 'center' ) ), 'center', '', 'width="100%"' ); @@ -331,7 +331,7 @@ html_tag( 'tr', html_tag( 'td', "\n". '