Only in squirrelmail-1.4.4/config: config.php diff -uwr squirrelmail-1.4.4.orig/functions/addressbook.php squirrelmail-1.4.4/functions/addressbook.php --- squirrelmail-1.4.4.orig/functions/addressbook.php Mon Dec 27 16:03:42 2004 +++ squirrelmail-1.4.4/functions/addressbook.php Thu Jun 9 15:37:27 2005 @@ -108,7 +108,7 @@ if (!$r && $showerr) { printf( ' ' . _("Error initializing LDAP server %s:") . "
\n", $param['host']); - echo ' ' . $abook->error; + echo ' ' . htmlspecialchars($abook->error); exit; } } @@ -239,7 +239,7 @@ if (is_array($res)) { $ret = array_merge($ret, $res); } else { - $this->error .= "
\n" . $backend->error; + $this->error .= "\n" . $backend->error; $failed++; } } @@ -255,7 +255,7 @@ $ret = $this->backends[$bnum]->search($expression); if (!is_array($ret)) { - $this->error .= "
\n" . $this->backends[$bnum]->error; + $this->error .= "\n" . $this->backends[$bnum]->error; $ret = FALSE; } } diff -uwr squirrelmail-1.4.4.orig/functions/mime.php squirrelmail-1.4.4/functions/mime.php --- squirrelmail-1.4.4.orig/functions/mime.php Mon Jan 10 19:52:48 2005 +++ squirrelmail-1.4.4/functions/mime.php Sun Jun 12 22:47:40 2005 @@ -847,6 +847,16 @@ /** ** HTMLFILTER ROUTINES */ +function sq_unbackslash($attvalue){ + /** + * Remove any backslashes. See if there are any first. + */ + + if (strstr($attvalue, '\\') !== false){ + $attvalue = stripslashes($attvalue); + } + return $attvalue; +} /** * This function checks attribute values for entity-encoded values @@ -1301,25 +1311,44 @@ * @param $hex whether the entites are hexadecimal. * @return True or False depending on whether there were matches. */ -function sq_deent(&$attvalue, $regex, $hex=false){ +function sq_deent($attvalue){ $me = 'sq_deent'; - $ret_match = false; - preg_match_all($regex, $attvalue, $matches); - if (is_array($matches) && sizeof($matches[0]) > 0){ - $repl = Array(); - for ($i = 0; $i < sizeof($matches[0]); $i++){ - $numval = $matches[1][$i]; - if ($hex){ - $numval = hexdec($numval); + /** + * See if we have to run the checks first. All entities must start + * with "&". + */ + if (strpos($attvalue, '&') === false){ + return $attvalue; } - $repl{$matches[0][$i]} = chr($numval); + /** + * Check named entities first. + */ + $trans = get_html_translation_table(HTML_ENTITIES); + /** + * Leave " in, as it can mess us up. + */ + $trans = array_flip($trans); + unset($trans{'"'}); + while (list($ent, $val) = each($trans)){ + $attvalue = preg_replace('/' . $ent . '*/si', $val, $attvalue); } - $attvalue = strtr($attvalue, $repl); - return true; - } else { - return false; + /** + * Now translate numbered entities from 1 to 255 if needed. + */ + if (strpos($attvalue, '#') !== false){ + $omit = Array(34, 39); + for ($asc = 256; $asc >= 0; $asc--){ + if (!in_array($asc, $omit)){ + $chr = chr($asc); + $octrule = '/\�*' . $asc . ';*/si'; + $hexrule = '/\�*' . dechex($asc) . ';*/si'; + $attvalue = preg_replace($octrule, $chr, $attvalue); + $attvalue = preg_replace($hexrule, $chr, $attvalue); } } + } + return $attvalue; +} /** * This function runs various checks against the attributes. @@ -1436,27 +1465,52 @@ /** * Fix url('blah') declarations. */ - $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si", - "url(\\1$secremoveimg\\2)", $content); + // remove NUL + $content = str_replace("\0", "", $content); + // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop. + while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) { + $sProto = strtolower($matches[1]); + switch ($sProto) { /** * Fix url('https*://.*) declarations but only if $view_unsafe_images * is false. */ + case 'https': + case 'http': if (!$view_unsafe_images){ $content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si", - "url(\\1$secremoveimg\\2)", $content); + "u\0r\0l(\\1$secremoveimg\\2)", $content); } - + break; /** * Fix urls that refer to cid: */ - while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si", - $content, $matches)){ - $cidurl = $matches{1}; + case 'cid': + $cidurl = 'cid:'. $matches[2]; $httpurl = sq_cid2http($message, $id, $cidurl, $mailbox); $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si", - "url($httpurl)", $content); + "u\0r\0l($httpurl)", $content); + break; + default: + /** + * replace url with protocol other then the white list + * http,https and cid by an empty string. + */ + $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", + "", $content); + break; + } + break; } + // remove NUL + $content = str_replace("\0", "", $content); + + /** + * Remove any backslashes, entities, and extraneous whitespace. + */ + $contentTemp = sq_unbackslash($content); + $contentTemp = sq_deent($contentTemp); + $contentTemp = sq_unspace($contentTemp); /** * Fix stupid css declarations which lead to vulnerabilities @@ -1467,7 +1521,12 @@ '/binding/i', '/include-source/i'); $replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy'); - $content = preg_replace($match, $replace, $content); + $contentNew = preg_replace($match, $replace, $contentTemp); + if ($contentNew !== $contentTemp) { + // insecure css declarations are used. From now on we don't care + // anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash + $content = $contentNew; + } return array($content, $newpos); } @@ -1754,7 +1813,8 @@ "embed", "title", "frameset", - "xml" + "xml", + "xmp" ); $self_closing_tags = Array( diff -uwr squirrelmail-1.4.4.orig/functions/page_header.php squirrelmail-1.4.4/functions/page_header.php --- squirrelmail-1.4.4.orig/functions/page_header.php Mon Dec 27 22:08:58 2004 +++ squirrelmail-1.4.4/functions/page_header.php Thu Jun 9 15:33:05 2005 @@ -275,6 +275,7 @@ : html_tag( 'td', '', 'left' ) ) . "\n"; $urlMailbox = urlencode($mailbox); + $startMessage = (int)$startMessage; echo makeComposeLink('src/compose.php?mailbox='.$urlMailbox.'&startMessage='.$startMessage); echo "  \n"; displayInternalLink ('src/addressbook.php', _("Addresses")); diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/calendar.php squirrelmail-1.4.4/plugins/calendar/calendar.php --- squirrelmail-1.4.4.orig/plugins/calendar/calendar.php Mon Dec 27 16:03:49 2004 +++ squirrelmail-1.4.4/plugins/calendar/calendar.php Thu Jun 9 15:33:05 2005 @@ -29,16 +29,16 @@ /* get globals */ -if (isset($_GET['month'])) { +if (isset($_GET['month']) && is_numeric($_GET['month'])) { $month = $_GET['month']; } -if (isset($_GET['year'])) { +if (isset($_GET['year']) && is_numeric($_GET['year'])) { $year = $_GET['year']; } -if (isset($_POST['year'])) { +if (isset($_POST['year']) && is_numeric($_POST['year'])) { $year = $_POST['year']; } -if (isset($_POST['month'])) { +if (isset($_POST['month']) && is_numeric($_POST['month'])) { $month = $_POST['month']; } /* got 'em */ diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/day.php squirrelmail-1.4.4/plugins/calendar/day.php --- squirrelmail-1.4.4.orig/plugins/calendar/day.php Mon Dec 27 16:03:49 2004 +++ squirrelmail-1.4.4/plugins/calendar/day.php Thu Jun 9 15:33:05 2005 @@ -29,22 +29,22 @@ require_once(SM_PATH . 'functions/html.php'); /* get globals */ -if (isset($_GET['year'])) { +if (isset($_GET['year']) && is_numeric($_GET['year'])) { $year = $_GET['year']; } -elseif (isset($_POST['year'])) { +elseif (isset($_POST['year']) && is_numeric($_POST['year'])) { $year = $_POST['year']; } -if (isset($_GET['month'])) { +if (isset($_GET['month']) && is_numeric($_GET['month'])) { $month = $_GET['month']; } -elseif (isset($_POST['month'])) { +elseif (isset($_POST['month']) && is_numeric($_POST['month'])) { $month = $_POST['month']; } -if (isset($_GET['day'])) { +if (isset($_GET['day']) && is_numeric($_GET['day'])) { $day = $_GET['day']; } -elseif (isset($_POST['day'])) { +elseif (isset($_POST['day']) && is_numeric($_POST['day'])) { $day = $_POST['day']; } diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/event_create.php squirrelmail-1.4.4/plugins/calendar/event_create.php --- squirrelmail-1.4.4.orig/plugins/calendar/event_create.php Mon Dec 27 16:03:49 2004 +++ squirrelmail-1.4.4/plugins/calendar/event_create.php Thu Jun 9 15:33:05 2005 @@ -29,40 +29,40 @@ /* get globals */ -if (isset($_POST['year'])) { +if (isset($_POST['year']) && is_numeric($_POST['year'])) { $year = $_POST['year']; } -elseif (isset($_GET['year'])) { +elseif (isset($_GET['year']) && is_numeric($_GET['year'])) { $year = $_GET['year']; } -if (isset($_POST['month'])) { +if (isset($_POST['month']) && is_numeric($_POST['month'])) { $month = $_POST['month']; } -elseif (isset($_GET['month'])) { +elseif (isset($_GET['month']) && is_numeric($_GET['month'])) { $month = $_GET['month']; } -if (isset($_POST['day'])) { +if (isset($_POST['day']) && is_numeric($_POST['day'])) { $day = $_POST['day']; } -elseif (isset($_GET['day'])) { +elseif (isset($_GET['day']) && is_numeric($_GET['day'])) { $day = $_GET['day']; } -if (isset($_POST['hour'])) { +if (isset($_POST['hour']) && is_numeric($_POST['hour'])) { $hour = $_POST['hour']; } -elseif (isset($_GET['hour'])) { +elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) { $hour = $_GET['hour']; } -if (isset($_POST['event_hour'])) { +if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) { $event_hour = $_POST['event_hour']; } -if (isset($_POST['event_minute'])) { +if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) { $event_minute = $_POST['event_minute']; } -if (isset($_POST['event_length'])) { +if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) { $event_length = $_POST['event_length']; } -if (isset($_POST['event_priority'])) { +if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) { $event_priority = $_POST['event_priority']; } if (isset($_POST['event_title'])) { diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php squirrelmail-1.4.4/plugins/calendar/event_edit.php --- squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php Mon Dec 27 16:03:49 2004 +++ squirrelmail-1.4.4/plugins/calendar/event_edit.php Thu Jun 9 15:33:05 2005 @@ -33,22 +33,22 @@ if (isset($_POST['updated'])) { $updated = $_POST['updated']; } -if (isset($_POST['event_year'])) { +if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) { $event_year = $_POST['event_year']; } -if (isset($_POST['event_month'])) { +if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) { $event_month = $_POST['event_month']; } -if (isset($_POST['event_day'])) { +if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) { $event_day = $_POST['event_day']; } -if (isset($_POST['event_hour'])) { +if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) { $event_hour = $_POST['event_hour']; } -if (isset($_POST['event_minute'])) { +if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) { $event_minute = $_POST['event_minute']; } -if (isset($_POST['event_length'])) { +if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) { $event_length = $_POST['event_length']; } if (isset($_POST['event_title'])) { @@ -60,40 +60,40 @@ if (isset($_POST['send'])) { $send = $_POST['send']; } -if (isset($_POST['event_priority'])) { +if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) { $event_priority = $_POST['event_priority']; } if (isset($_POST['confirmed'])) { $confirmed = $_POST['confirmed']; } -if (isset($_POST['year'])) { +if (isset($_POST['year']) && is_numeric($_POST['year'])) { $year = $_POST['year']; } -elseif (isset($_GET['year'])) { +elseif (isset($_GET['year']) && is_numeric($_GET['year'])) { $year = $_GET['year']; } -if (isset($_POST['month'])) { +if (isset($_POST['month']) && is_numeric($_POST['month'])) { $month = $_POST['month']; } -elseif (isset($_GET['month'])) { +elseif (isset($_GET['month']) && is_numeric($_GET['month'])) { $month = $_GET['month']; } -if (isset($_POST['day'])) { +if (isset($_POST['day']) && is_numeric($_POST['day'])) { $day = $_POST['day']; } -elseif (isset($_GET['day'])) { +elseif (isset($_GET['day']) && is_numeric($_GET['day'])) { $day = $_GET['day']; } -if (isset($_POST['hour'])) { +if (isset($_POST['hour']) && is_numeric($_POST['hour'])) { $hour = $_POST['hour']; } -elseif (isset($_GET['hour'])) { +elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) { $hour = $_GET['hour']; } -if (isset($_POST['minute'])) { +if (isset($_POST['minute']) && is_numeric($_POST['minute'])) { $minute = $_POST['minute']; } -elseif (isset($_GET['minute'])) { +elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) { $minute = $_GET['minute']; } /* got 'em */ diff -uwr squirrelmail-1.4.4.orig/plugins/filters/options.php squirrelmail-1.4.4/plugins/filters/options.php --- squirrelmail-1.4.4.orig/plugins/filters/options.php Mon Dec 27 16:03:57 2004 +++ squirrelmail-1.4.4/plugins/filters/options.php Sun Jun 12 22:35:35 2005 @@ -189,7 +189,7 @@ html_tag( 'td', '', 'left' ) . ''. ''. diff -uwr squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php squirrelmail-1.4.4/plugins/filters/spamoptions.php --- squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php Mon Dec 27 16:03:57 2004 +++ squirrelmail-1.4.4/plugins/filters/spamoptions.php Sun Jun 12 22:36:03 2005 @@ -199,7 +199,7 @@ echo html_tag( 'p', '', 'center' ) . '[' . _("Edit") . ']' . ' - [' . _("Done") . ']

'; - printf( _("Spam is sent to %s."), ($filters_spam_folder?''.imap_utf7_decode_local($filters_spam_folder).'':'['._("not set yet").']' ) ); + printf( _("Spam is sent to %s."), ($filters_spam_folder?''.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'':'['._("not set yet").']' ) ); echo '
'; printf( _("Spam scan is limited to %s."), '' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '' ); echo '

'. diff -uwr squirrelmail-1.4.4.orig/plugins/listcommands/mailout.php squirrelmail-1.4.4/plugins/listcommands/mailout.php --- squirrelmail-1.4.4.orig/plugins/listcommands/mailout.php Mon Dec 27 16:03:58 2004 +++ squirrelmail-1.4.4/plugins/listcommands/mailout.php Thu Jun 9 15:33:05 2005 @@ -25,14 +25,6 @@ sqgetGlobalVar('body', $body, SQ_GET); sqgetGlobalVar('action', $action, SQ_GET); -echo html_tag('p', '', 'left' ) . -html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" . - html_tag( 'tr', - html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] ) - ) . - html_tag( 'tr' ) . - html_tag( 'td', '', 'left' ); - switch ( $action ) { case 'help': $out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below."); @@ -42,7 +34,19 @@ break; case 'unsubscribe': $out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below."); +default: + error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)), $color); + exit; } + +echo html_tag('p', '', 'left' ) . +html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" . + html_tag( 'tr', + html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] ) + ) . + html_tag( 'tr' ) . + html_tag( 'td', '', 'left' ); + printf( $out_string, htmlspecialchars($send_to) ); Only in squirrelmail-1.4.4/plugins/listcommands: mailout.php.orig diff -uwr squirrelmail-1.4.4.orig/plugins/newmail/newmail.php squirrelmail-1.4.4/plugins/newmail/newmail.php --- squirrelmail-1.4.4.orig/plugins/newmail/newmail.php Mon Dec 27 16:03:58 2004 +++ squirrelmail-1.4.4/plugins/newmail/newmail.php Thu Jun 9 15:33:05 2005 @@ -22,6 +22,7 @@ require_once(SM_PATH . 'functions/page_header.php'); sqGetGlobalVar('numnew', $numnew, SQ_GET); +$numnew = (int)$numnew; displayHtmlHeader( _("New Mail"), '', FALSE ); diff -uwr squirrelmail-1.4.4.orig/plugins/spamcop/setup.php squirrelmail-1.4.4/plugins/spamcop/setup.php --- squirrelmail-1.4.4.orig/plugins/spamcop/setup.php Mon Dec 27 16:03:58 2004 +++ squirrelmail-1.4.4/plugins/spamcop/setup.php Sun Jun 12 22:36:52 2005 @@ -75,6 +75,9 @@ sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM); sqgetGlobalVar('mailbox', $mailbox, SQ_FORM); sqgetGlobalVar('startMessage', $startMessage, SQ_FORM); + if ( sqgetGlobalVar('startMessage', $startMessage, SQ_FORM) ) { + $startMessage = (int)$startMessage; + } /* END GLOBALS */ // catch unset passed_ent_id diff -uwr squirrelmail-1.4.4.orig/plugins/squirrelspell/modules/lang_change.mod squirrelmail-1.4.4/plugins/squirrelspell/modules/lang_change.mod --- squirrelmail-1.4.4.orig/plugins/squirrelspell/modules/lang_change.mod Sat Jun 12 18:39:48 2004 +++ squirrelmail-1.4.4/plugins/squirrelspell/modules/lang_change.mod Thu Jun 9 15:33:05 2005 @@ -69,11 +69,11 @@ $lang_array = explode( ',', $lang_string ); $dsp_string = ''; foreach( $lang_array as $a) { - $dsp_string .= _(trim($a)) . ', '; + $dsp_string .= _(htmlspecialchars(trim($a))) . ', '; } $dsp_string = substr( $dsp_string, 0, -2 ); $msg = '

' - . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), ''.$dsp_string.'', ''._($lang_default).'') + . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), ''.$dsp_string.'', ''._(htmlspecialchars($lang_default)).'') . '

'; } else { /** diff -uwr squirrelmail-1.4.4.orig/src/addressbook.php squirrelmail-1.4.4/src/addressbook.php --- squirrelmail-1.4.4.orig/src/addressbook.php Mon Dec 27 16:03:59 2004 +++ squirrelmail-1.4.4/src/addressbook.php Thu Jun 9 15:34:15 2005 @@ -279,7 +279,7 @@ html_tag( 'tr', html_tag( 'td', "\n". '' . _("ERROR") . ': ' . $abook->error . '' ."\n", + '">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '' ."\n", 'center' ) ), 'center', '', 'width="100%"' ); @@ -331,7 +331,7 @@ html_tag( 'tr', html_tag( 'td', "\n". '
' . _("ERROR") . ': ' . $formerror . '' ."\n", + '">' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '' ."\n", 'center' ) ), 'center', '', 'width="100%"' ); @@ -343,6 +343,7 @@ /* Get and sort address list */ $alist = $abook->list_addr(); if(!is_array($alist)) { + htmlspecialchars($abook_error); plain_error_message($abook->error, $color); exit; } diff -uwr squirrelmail-1.4.4.orig/src/compose.php squirrelmail-1.4.4/src/compose.php --- squirrelmail-1.4.4.orig/src/compose.php Mon Jan 3 16:06:28 2005 +++ squirrelmail-1.4.4/src/compose.php Thu Jun 9 15:38:42 2005 @@ -76,6 +76,11 @@ sqgetGlobalVar('saved_draft',$saved_draft); sqgetGlobalVar('delete_draft',$delete_draft); sqgetGlobalVar('startMessage',$startMessage); +if ( sqgetGlobalVar('startMessage',$startMessage) ) { + $startMessage = (int)$startMessage; +} else { + $startMessage = 1; +} } /** POST VARS */ sqgetGlobalVar('sigappend', $sigappend, SQ_POST); diff -uwr squirrelmail-1.4.4.orig/src/printer_friendly_bottom.php squirrelmail-1.4.4/src/printer_friendly_bottom.php --- squirrelmail-1.4.4.orig/src/printer_friendly_bottom.php Tue Dec 28 14:02:49 2004 +++ squirrelmail-1.4.4/src/printer_friendly_bottom.php Thu Jun 9 15:33:05 2005 @@ -33,7 +33,8 @@ sqgetGlobalVar('passed_id', $passed_id, SQ_GET); sqgetGlobalVar('mailbox', $mailbox, SQ_GET); -if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) ) { +if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) || + ! preg_match('/^\d+(\.\d+)*$/', $passed_ent_id) ) { $passed_ent_id = ''; } /* end globals */ diff -uwr squirrelmail-1.4.4.orig/src/right_main.php squirrelmail-1.4.4/src/right_main.php --- squirrelmail-1.4.4.orig/src/right_main.php Mon Dec 27 16:04:00 2004 +++ squirrelmail-1.4.4/src/right_main.php Thu Jun 9 15:33:05 2005 @@ -165,7 +165,7 @@ do_hook('right_main_after_header'); if (isset($note)) { - echo html_tag( 'div', '' . $note .'', 'center' ) . "
\n"; + echo html_tag( 'div', '' . htmlspecialchars($note) .'', 'center' ) . "
\n"; } if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {