Attachment #61134 for bug #95937




                if (!$r && $showerr) {
                    printf( '&nbsp;' . _("Error initializing LDAP server %s:") .
                            "<br />\n", $param['host']);
                    echo '&nbsp;' . htmlspecialchars($abook->error);
                    exit;
                }
            }

                if (is_array($res)) {
                    $ret = array_merge($ret, $res);
                } else {
                    $this->error .= "\n" . $backend->error;
                    $failed++;
                }
            }


            $ret = $this->backends[$bnum]->search($expression);
            if (!is_array($ret)) {
                $this->error .= "\n" . $this->backends[$bnum]->error;
                $ret = FALSE;
            }
        }




/**
 ** HTMLFILTER ROUTINES
 */
function sq_unbackslash($attvalue){
    /**
     * Remove any backslashes. See if there are any first.
     */

    if (strstr($attvalue, '\\') !== false){
        $attvalue = stripslashes($attvalue);
    }
    return $attvalue;
}

/**
 * This function checks attribute values for entity-encoded values

 * @param $hex      whether the entites are hexadecimal.
 * @return          True or False depending on whether there were matches.
 */
function sq_deent($attvalue){
    $me = 'sq_deent';
    /**
     * See if we have to run the checks first. All entities must start
     * with "&".
     */
    if (strpos($attvalue, '&') === false){
        return $attvalue;
            if ($hex){
                $numval = hexdec($numval);
            }
    /**
     * Check named entities first.
     */
    $trans = get_html_translation_table(HTML_ENTITIES);
    /**
     * Leave &quot; in, as it can mess us up.
     */
    $trans = array_flip($trans);
    unset($trans{'&quot;'});
    while (list($ent, $val) = each($trans)){
        $attvalue = preg_replace('/' . $ent . '*/si', $val, $attvalue);
        }
    /**
     * Now translate numbered entities from 1 to 255 if needed.
     */
    if (strpos($attvalue, '#') !== false){
        $omit = Array(34, 39);
        for ($asc = 256; $asc >= 0; $asc--){
            if (!in_array($asc, $omit)){
                $chr = chr($asc);
                $octrule = '/\&#0*' . $asc . ';*/si';
                $hexrule = '/\&#x0*' . dechex($asc) . ';*/si';
                $attvalue = preg_replace($octrule, $chr, $attvalue);
                $attvalue = preg_replace($hexrule, $chr, $attvalue);
    }
}
    }
    return $attvalue;
}

/**
 * This function runs various checks against the attributes.

    /**
     * Fix url('blah') declarations.
     */
    // remove NUL                        
    $content = str_replace("\0", "", $content);
    // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
    while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) {
        $sProto = strtolower($matches[1]);
        switch ($sProto) {
    /**
     * Fix url('https*://.*) declarations but only if $view_unsafe_images
     * is false.
     */
          case 'https':
          case 'http':
    if (!$view_unsafe_images){
        $content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si",
                                "u\0r\0l(\\1$secremoveimg\\2)", $content);
    }
            break;
    /**
     * Fix urls that refer to cid:
     */
          case 'cid':
            $cidurl = 'cid:'. $matches[2];
        $cidurl = $matches{1};
        $httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
        $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si",
                                "u\0r\0l($httpurl)", $content);
            break;
          default:
            /**
             * replace url with protocol other then the white list 
             * http,https and cid by an empty string.
             */            
            $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si",
                                "", $content); 
            break;
        }         
        break;
    }
    // remove NUL                        
    $content = str_replace("\0", "", $content);
    
   /**
    * Remove any backslashes, entities, and extraneous whitespace.
    */
    $contentTemp = sq_unbackslash($content);
    $contentTemp = sq_deent($contentTemp);
    $contentTemp = sq_unspace($contentTemp); 

    /**
     * Fix stupid css declarations which lead to vulnerabilities

                     '/binding/i',
                     '/include-source/i');
    $replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');
    $contentNew = preg_replace($match, $replace, $contentTemp);
    if ($contentNew !== $contentTemp) {
        // insecure css declarations are used. From now on we don't care
        // anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash
        $content = $contentNew;
    }
    return array($content, $newpos);
}


                                  "embed",
                                  "title",
                                  "frameset",
                                  "xml",
                                  "xmp"
                                  );

    $self_closing_tags =  Array(

Lines 275-280 Link Here

(-)squirrelmail-1.4.4.orig/functions/page_header.php (+1 lines)
275	: html_tag( 'td', '', 'left' ) )	275	: html_tag( 'td', '', 'left' ) )
276	. "\n";	276	. "\n";
277	$urlMailbox = urlencode($mailbox);	277	$urlMailbox = urlencode($mailbox);
		278	$startMessage = (int)$startMessage;
278	echo makeComposeLink('src/compose.php?mailbox='.$urlMailbox.'&startMessage='.$startMessage);	279	echo makeComposeLink('src/compose.php?mailbox='.$urlMailbox.'&startMessage='.$startMessage);
279	echo "  \n";	280	echo "  \n";
280	displayInternalLink ('src/addressbook.php', _("Addresses"));	281	displayInternalLink ('src/addressbook.php', _("Addresses"));





/* get globals */

if (isset($_GET['month']) && is_numeric($_GET['month'])) {
    $month = $_GET['month'];
}
if (isset($_GET['year']) && is_numeric($_GET['year'])) {
    $year = $_GET['year'];
}
if (isset($_POST['year']) && is_numeric($_POST['year'])) {
    $year = $_POST['year'];
}
if (isset($_POST['month']) && is_numeric($_POST['month'])) {
    $month = $_POST['month'];
}
/* got 'em */




require_once(SM_PATH . 'functions/html.php');

/* get globals */
if (isset($_GET['year']) && is_numeric($_GET['year'])) {
    $year = $_GET['year'];
}
elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
    $year = $_POST['year'];
}
if (isset($_GET['month']) && is_numeric($_GET['month'])) {
    $month = $_GET['month'];
}
elseif (isset($_POST['month']) && is_numeric($_POST['month'])) {
    $month = $_POST['month'];
}
if (isset($_GET['day']) && is_numeric($_GET['day'])) {
    $day = $_GET['day'];
}
elseif (isset($_POST['day']) && is_numeric($_POST['day'])) {
    $day = $_POST['day'];
}






/* get globals */

if (isset($_POST['year']) && is_numeric($_POST['year'])) {
    $year = $_POST['year'];
}
elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
    $year = $_GET['year'];
}
if (isset($_POST['month']) && is_numeric($_POST['month'])) {
    $month = $_POST['month'];
}
elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
    $month = $_GET['month'];
}
if (isset($_POST['day']) && is_numeric($_POST['day'])) {
    $day = $_POST['day'];
}
elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
    $day = $_GET['day'];
}
if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
    $hour = $_POST['hour'];
}
elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
    $hour = $_GET['hour'];
}
if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
    $event_hour = $_POST['event_hour'];
}
if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
    $event_minute = $_POST['event_minute'];
}
if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
    $event_length = $_POST['event_length'];
}
if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
    $event_priority = $_POST['event_priority'];
}
if (isset($_POST['event_title'])) {




if (isset($_POST['updated'])) {
    $updated = $_POST['updated'];
}
if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) {
    $event_year = $_POST['event_year'];
}
if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) {
    $event_month = $_POST['event_month'];
}
if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) {
    $event_day = $_POST['event_day'];
}
if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
    $event_hour = $_POST['event_hour'];
}
if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
    $event_minute = $_POST['event_minute'];
}
if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
    $event_length = $_POST['event_length'];
}
if (isset($_POST['event_title'])) {

if (isset($_POST['send'])) {
    $send = $_POST['send'];
}
if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
    $event_priority = $_POST['event_priority'];
}
if (isset($_POST['confirmed'])) {
    $confirmed = $_POST['confirmed'];
}
if (isset($_POST['year']) && is_numeric($_POST['year'])) {
    $year = $_POST['year'];
}
elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
    $year = $_GET['year'];
}
if (isset($_POST['month']) && is_numeric($_POST['month'])) {
    $month = $_POST['month'];
}
elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
    $month = $_GET['month'];
}
if (isset($_POST['day']) && is_numeric($_POST['day'])) {
    $day = $_POST['day'];
}
elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
    $day = $_GET['day'];
}
if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
    $hour = $_POST['hour'];
}
elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
    $hour = $_GET['hour'];
}
if (isset($_POST['minute']) && is_numeric($_POST['minute'])) {
    $minute = $_POST['minute'];
}
elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) {
    $minute = $_GET['minute'];
}
/* got 'em */

Lines 189-195 Link Here

(-)squirrelmail-1.4.4.orig/plugins/filters/options.php (-1 / +1 lines)
189	html_tag( 'td', '', 'left' ) .	189	html_tag( 'td', '', 'left' ) .
190	'<input type="text" size="32" name="filter_what" value="';	190	'<input type="text" size="32" name="filter_what" value="';
191	if (isset($filters[$theid]['what'])) {	191	if (isset($filters[$theid]['what'])) {
192	echo $filters[$theid]['what'];	192	echo htmlspecialchars($filters[$theid]['what']);
193	}	193	}
194	echo '" />'.	194	echo '" />'.
195	'</td>'.	195	'</td>'.

Lines 199-205 Link Here

(-)squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php (-1 / +1 lines)
199	echo html_tag( 'p', '', 'center' ) .	199	echo html_tag( 'p', '', 'center' ) .
200	'[<a href="spamoptions.php?action=spam">' . _("Edit") . '</a>]' .	200	'[<a href="spamoptions.php?action=spam">' . _("Edit") . '</a>]' .
201	' - [<a href="../../src/options.php">' . _("Done") . '</a>]</center><br /><br />';	201	' - [<a href="../../src/options.php">' . _("Done") . '</a>]</center><br /><br />';
202	printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.imap_utf7_decode_local($filters_spam_folder).'</b>':'[<i>'._("not set yet").'</i>]' ) );	202	printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'</b>':'[<i>'._("not set yet").'</i>]' ) );
203	echo '<br />';	203	echo '<br />';
204	printf( _("Spam scan is limited to %s."), '<b>' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '</b>' );	204	printf( _("Spam scan is limited to %s."), '<b>' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '</b>' );
205	echo '</p>'.	205	echo '</p>'.

Lines 25-38 Link Here

(-)squirrelmail-1.4.4.orig/plugins/listcommands/mailout.php (-8 / +12 lines)
25	sqgetGlobalVar('body', $body, SQ_GET);	25	sqgetGlobalVar('body', $body, SQ_GET);
26	sqgetGlobalVar('action', $action, SQ_GET);	26	sqgetGlobalVar('action', $action, SQ_GET);
27		27
28	echo html_tag('p', '', 'left' ) .
29	html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
30	html_tag( 'tr',
31	html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] )
32	) .
33	html_tag( 'tr' ) .
34	html_tag( 'td', '', 'left' );
35
36	switch ( $action ) {	28	switch ( $action ) {
37	case 'help':	29	case 'help':
38	$out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below.");	30	$out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below.");
Lines 42-48 Link Here
42	break;	34	break;
43	case 'unsubscribe':	35	case 'unsubscribe':
44	$out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below.");	36	$out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below.");
		37	default:
		38	error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)), $color);
		39	exit;
45	}	40	}
		41
		42	echo html_tag('p', '', 'left' ) .
		43	html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
		44	html_tag( 'tr',
		45	html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] )
		46	) .
		47	html_tag( 'tr' ) .
		48	html_tag( 'td', '', 'left' );
		49
46		50
47	printf( $out_string, htmlspecialchars($send_to) );	51	printf( $out_string, htmlspecialchars($send_to) );
48		52

Lines 22-27 Link Here

(-)squirrelmail-1.4.4.orig/plugins/newmail/newmail.php (+1 lines)
22	require_once(SM_PATH . 'functions/page_header.php');	22	require_once(SM_PATH . 'functions/page_header.php');
23		23
24	sqGetGlobalVar('numnew', $numnew, SQ_GET);	24	sqGetGlobalVar('numnew', $numnew, SQ_GET);
		25	$numnew = (int)$numnew;
25		26
26	displayHtmlHeader( _("New Mail"), '', FALSE );	27	displayHtmlHeader( _("New Mail"), '', FALSE );
27		28

Lines 75-80 Link Here

(-)squirrelmail-1.4.4.orig/plugins/spamcop/setup.php (+3 lines)
75	sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM);	75	sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM);
76	sqgetGlobalVar('mailbox', $mailbox, SQ_FORM);	76	sqgetGlobalVar('mailbox', $mailbox, SQ_FORM);
77	sqgetGlobalVar('startMessage', $startMessage, SQ_FORM);	77	sqgetGlobalVar('startMessage', $startMessage, SQ_FORM);
		78	if ( sqgetGlobalVar('startMessage', $startMessage, SQ_FORM) ) {
		79	$startMessage = (int)$startMessage;
		80	}
78	/* END GLOBALS */	81	/* END GLOBALS */
79		82
80	// catch unset passed_ent_id	83	// catch unset passed_ent_id

Lines 69-79 Link Here

(-)squirrelmail-1.4.4.orig/plugins/squirrelspell/modules/lang_change.mod (-2 / +2 lines)
69	$lang_array = explode( ',', $lang_string );	69	$lang_array = explode( ',', $lang_string );
70	$dsp_string = '';	70	$dsp_string = '';
71	foreach( $lang_array as $a) {	71	foreach( $lang_array as $a) {
72	$dsp_string .= _(trim($a)) . ', ';	72	$dsp_string .= _(htmlspecialchars(trim($a))) . ', ';
73	}	73	}
74	$dsp_string = substr( $dsp_string, 0, -2 );	74	$dsp_string = substr( $dsp_string, 0, -2 );
75	$msg = '<p>'	75	$msg = '<p>'
76	. sprintf(_("Settings adjusted to: %s with %s as default dictionary."), '<strong>'.$dsp_string.'</strong>', '<strong>'._($lang_default).'</strong>')	76	. sprintf(_("Settings adjusted to: %s with %s as default dictionary."), '<strong>'.$dsp_string.'</strong>', '<strong>'._(htmlspecialchars($lang_default)).'</strong>')
77	. '</p>';	77	. '</p>';
78	} else {	78	} else {
79	/**	79	/**




                                    html_tag( 'tr',
                                        html_tag( 'td',
                                            "\n". '<strong><font color="' . $color[2] .
                                            '">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '</font></strong>' ."\n",
                                            'center' )
                                        ),
                                    'center', '', 'width="100%"' );

            html_tag( 'tr',
                html_tag( 'td',
                    "\n". '<br /><strong><font color="' . $color[2] .
                    '">' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '</font></strong>' ."\n",
                    'center' )
                ),
            'center', '', 'width="100%"' );

    /* Get and sort address list */
    $alist = $abook->list_addr();
    if(!is_array($alist)) {
        htmlspecialchars($abook_error);
        plain_error_message($abook->error, $color);
        exit;
    }

Lines 76-81 Link Here

(-)squirrelmail-1.4.4.orig/src/compose.php (+5 lines)
76	sqgetGlobalVar('saved_draft',$saved_draft);	76	sqgetGlobalVar('saved_draft',$saved_draft);
77	sqgetGlobalVar('delete_draft',$delete_draft);	77	sqgetGlobalVar('delete_draft',$delete_draft);
78	sqgetGlobalVar('startMessage',$startMessage);	78	sqgetGlobalVar('startMessage',$startMessage);
		79	if ( sqgetGlobalVar('startMessage',$startMessage) ) {
		80	$startMessage = (int)$startMessage;
		81	} else {
		82	$startMessage = 1;
		83	} }
79		84
80	/** POST VARS */	85	/** POST VARS */
81	sqgetGlobalVar('sigappend', $sigappend, SQ_POST);	86	sqgetGlobalVar('sigappend', $sigappend, SQ_POST);

Lines 33-39 Link Here

(-)squirrelmail-1.4.4.orig/src/printer_friendly_bottom.php (-1 / +2 lines)
33	sqgetGlobalVar('passed_id', $passed_id, SQ_GET);	33	sqgetGlobalVar('passed_id', $passed_id, SQ_GET);
34	sqgetGlobalVar('mailbox', $mailbox, SQ_GET);	34	sqgetGlobalVar('mailbox', $mailbox, SQ_GET);
35		35
36	if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) ) {	36	if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) \|\|
		37	! preg_match('/^\d+(\.\d+)*$/', $passed_ent_id) ) {
37	$passed_ent_id = '';	38	$passed_ent_id = '';
38	}	39	}
39	/* end globals */	40	/* end globals */

Lines 165-171 Link Here

(-)squirrelmail-1.4.4.orig/src/right_main.php (-1 / +1 lines)
165		165
166	do_hook('right_main_after_header');	166	do_hook('right_main_after_header');
167	if (isset($note)) {	167	if (isset($note)) {
168	echo html_tag( 'div', '<b>' . $note .'</b>', 'center' ) . "<br />\n";	168	echo html_tag( 'div', '<b>' . htmlspecialchars($note) .'</b>', 'center' ) . "<br />\n";
169	}	169	}
170		170
171	if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {	171	if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {

Return to bug 95937

Lines 108-114 Link Here

(-)squirrelmail-1.4.4.orig/functions/addressbook.php (-3 / +3 lines)
108	if (!$r && $showerr) {	108	if (!$r && $showerr) {
109	printf( ' ' . _("Error initializing LDAP server %s:") .	109	printf( ' ' . _("Error initializing LDAP server %s:") .
110	"<br />\n", $param['host']);	110	"<br />\n", $param['host']);
111	echo ' ' . $abook->error;	111	echo ' ' . htmlspecialchars($abook->error);
112	exit;	112	exit;
113	}	113	}
114	}	114	}
Lines 239-245 Link Here
239	if (is_array($res)) {	239	if (is_array($res)) {
240	$ret = array_merge($ret, $res);	240	$ret = array_merge($ret, $res);
241	} else {	241	} else {
242	$this->error .= "<br />\n" . $backend->error;	242	$this->error .= "\n" . $backend->error;
243	$failed++;	243	$failed++;
244	}	244	}
245	}	245	}
Lines 255-261 Link Here
255		255
256	$ret = $this->backends[$bnum]->search($expression);	256	$ret = $this->backends[$bnum]->search($expression);
257	if (!is_array($ret)) {	257	if (!is_array($ret)) {
258	$this->error .= "<br />\n" . $this->backends[$bnum]->error;	258	$this->error .= "\n" . $this->backends[$bnum]->error;
259	$ret = FALSE;	259	$ret = FALSE;
260	}	260	}
261	}	261	}

Lines 847-852 Link Here

(-)squirrelmail-1.4.4.orig/functions/mime.php (-24 / +84 lines)
847	/**	847	/**
848	** HTMLFILTER ROUTINES	848	** HTMLFILTER ROUTINES
849	*/	849	*/
		850	function sq_unbackslash($attvalue){
		851	/**
		852	* Remove any backslashes. See if there are any first.
		853	*/
		854
		855	if (strstr($attvalue, '\\') !== false){
		856	$attvalue = stripslashes($attvalue);
		857	}
		858	return $attvalue;
		859	}
850		860
851	/**	861	/**
852	* This function checks attribute values for entity-encoded values	862	* This function checks attribute values for entity-encoded values
Lines 1301-1325 Link Here
1301	* @param $hex whether the entites are hexadecimal.	1311	* @param $hex whether the entites are hexadecimal.
1302	* @return True or False depending on whether there were matches.	1312	* @return True or False depending on whether there were matches.
1303	*/	1313	*/
1304	function sq_deent(&$attvalue, $regex, $hex=false){	1314	function sq_deent($attvalue){
1305	$me = 'sq_deent';	1315	$me = 'sq_deent';
1306	$ret_match = false;	1316	/**
1307	preg_match_all($regex, $attvalue, $matches);	1317	* See if we have to run the checks first. All entities must start
1308	if (is_array($matches) && sizeof($matches[0]) > 0){	1318	* with "&".
1309	$repl = Array();	1319	*/
1310	for ($i = 0; $i < sizeof($matches[0]); $i++){	1320	if (strpos($attvalue, '&') === false){
1311	$numval = $matches[1][$i];	1321	return $attvalue;
1312	if ($hex){
1313	$numval = hexdec($numval);
1314	}	1322	}
1315	$repl{$matches[0][$i]} = chr($numval);	1323	/**
		1324	* Check named entities first.
		1325	*/
		1326	$trans = get_html_translation_table(HTML_ENTITIES);
		1327	/**
		1328	* Leave " in, as it can mess us up.
		1329	*/
		1330	$trans = array_flip($trans);
		1331	unset($trans{'"'});
		1332	while (list($ent, $val) = each($trans)){
		1333	$attvalue = preg_replace('/' . $ent . '*/si', $val, $attvalue);
1316	}	1334	}
1317	$attvalue = strtr($attvalue, $repl);	1335	/**
1318	return true;	1336	* Now translate numbered entities from 1 to 255 if needed.
1319	} else {	1337	*/
1320	return false;	1338	if (strpos($attvalue, '#') !== false){
		1339	$omit = Array(34, 39);
		1340	for ($asc = 256; $asc >= 0; $asc--){
		1341	if (!in_array($asc, $omit)){
		1342	$chr = chr($asc);
		1343	$octrule = '/\&#0' . $asc . ';/si';
		1344	$hexrule = '/\&#x0' . dechex($asc) . ';/si';
		1345	$attvalue = preg_replace($octrule, $chr, $attvalue);
		1346	$attvalue = preg_replace($hexrule, $chr, $attvalue);
1321	}	1347	}
1322	}	1348	}
		1349	}
		1350	return $attvalue;
		1351	}
1323		1352
1324	/**	1353	/**
1325	* This function runs various checks against the attributes.	1354	* This function runs various checks against the attributes.
Lines 1436-1462 Link Here
1436	/**	1465	/**
1437	* Fix url('blah') declarations.	1466	* Fix url('blah') declarations.
1438	*/	1467	*/
1439	$content = preg_replace("\|url\s\(\s([\'\"])\s\S+script\s:.?([\'\"])\s\)\|si",	1468	// remove NUL
1440	"url(\\1$secremoveimg\\2)", $content);	1469	$content = str_replace("\0", "", $content);
		1470	// NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
		1471	while (preg_match("/url\s\(\s[\'\"]?([^:]+):(.)?[\'\"]?\s\)/si", $content, $matches)) {
		1472	$sProto = strtolower($matches[1]);
		1473	switch ($sProto) {
1441	/**	1474	/**
1442	* Fix url('https://.) declarations but only if $view_unsafe_images	1475	* Fix url('https://.) declarations but only if $view_unsafe_images
1443	* is false.	1476	* is false.
1444	*/	1477	*/
		1478	case 'https':
		1479	case 'http':
1445	if (!$view_unsafe_images){	1480	if (!$view_unsafe_images){
1446	$content = preg_replace("\|url\s\(\s([\'\"])\shttps:.?([\'\"])\s\)\|si",	1481	$content = preg_replace("\|url\s\(\s([\'\"])\shttps:.?([\'\"])\s\)\|si",
1447	"url(\\1$secremoveimg\\2)", $content);	1482	"u\0r\0l(\\1$secremoveimg\\2)", $content);
1448	}	1483	}
1449		1484	break;
1450	/**	1485	/**
1451	* Fix urls that refer to cid:	1486	* Fix urls that refer to cid:
1452	*/	1487	*/
1453	while (preg_match("\|url\s\(\s([\'\"]\scid:.?[\'\"])\s*\)\|si",	1488	case 'cid':
1454	$content, $matches)){	1489	$cidurl = 'cid:'. $matches[2];
1455	$cidurl = $matches{1};
1456	$httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);	1490	$httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
1457	$content = preg_replace("\|url\s\(\s$cidurl\s*\)\|si",	1491	$content = preg_replace("\|url\s\(\s$cidurl\s*\)\|si",
1458	"url($httpurl)", $content);	1492	"u\0r\0l($httpurl)", $content);
		1493	break;
		1494	default:
		1495	/**
		1496	* replace url with protocol other then the white list
		1497	* http,https and cid by an empty string.
		1498	*/
		1499	$content = preg_replace("/url\s\(\s[\'\"]?([^:]+):(.)?[\'\"]?\s\)/si",
		1500	"", $content);
		1501	break;
		1502	}
		1503	break;
1459	}	1504	}
		1505	// remove NUL
		1506	$content = str_replace("\0", "", $content);
		1507
		1508	/**
		1509	* Remove any backslashes, entities, and extraneous whitespace.
		1510	*/
		1511	$contentTemp = sq_unbackslash($content);
		1512	$contentTemp = sq_deent($contentTemp);
		1513	$contentTemp = sq_unspace($contentTemp);
1460		1514
1461	/**	1515	/**
1462	* Fix stupid css declarations which lead to vulnerabilities	1516	* Fix stupid css declarations which lead to vulnerabilities
Lines 1467-1473 Link Here
1467	'/binding/i',	1521	'/binding/i',
1468	'/include-source/i');	1522	'/include-source/i');
1469	$replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');	1523	$replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');
1470	$content = preg_replace($match, $replace, $content);	1524	$contentNew = preg_replace($match, $replace, $contentTemp);
		1525	if ($contentNew !== $contentTemp) {
		1526	// insecure css declarations are used. From now on we don't care
		1527	// anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash
		1528	$content = $contentNew;
		1529	}
1471	return array($content, $newpos);	1530	return array($content, $newpos);
1472	}	1531	}
1473		1532
Lines 1754-1760 Link Here
1754	"embed",	1813	"embed",
1755	"title",	1814	"title",
1756	"frameset",	1815	"frameset",
1757	"xml"	1816	"xml",
		1817	"xmp"
1758	);	1818	);
1759		1819
1760	$self_closing_tags = Array(	1820	$self_closing_tags = Array(

Lines 29-44 Link Here

(-)squirrelmail-1.4.4.orig/plugins/calendar/calendar.php (-4 / +4 lines)
29		29
30	/* get globals */	30	/* get globals */
31		31
32	if (isset($_GET['month'])) {	32	if (isset($_GET['month']) && is_numeric($_GET['month'])) {
33	$month = $_GET['month'];	33	$month = $_GET['month'];
34	}	34	}
35	if (isset($_GET['year'])) {	35	if (isset($_GET['year']) && is_numeric($_GET['year'])) {
36	$year = $_GET['year'];	36	$year = $_GET['year'];
37	}	37	}
38	if (isset($_POST['year'])) {	38	if (isset($_POST['year']) && is_numeric($_POST['year'])) {
39	$year = $_POST['year'];	39	$year = $_POST['year'];
40	}	40	}
41	if (isset($_POST['month'])) {	41	if (isset($_POST['month']) && is_numeric($_POST['month'])) {
42	$month = $_POST['month'];	42	$month = $_POST['month'];
43	}	43	}
44	/* got 'em */	44	/* got 'em */

Lines 29-50 Link Here

(-)squirrelmail-1.4.4.orig/plugins/calendar/day.php (-6 / +6 lines)
29	require_once(SM_PATH . 'functions/html.php');	29	require_once(SM_PATH . 'functions/html.php');
30		30
31	/* get globals */	31	/* get globals */
32	if (isset($_GET['year'])) {	32	if (isset($_GET['year']) && is_numeric($_GET['year'])) {
33	$year = $_GET['year'];	33	$year = $_GET['year'];
34	}	34	}
35	elseif (isset($_POST['year'])) {	35	elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
36	$year = $_POST['year'];	36	$year = $_POST['year'];
37	}	37	}
38	if (isset($_GET['month'])) {	38	if (isset($_GET['month']) && is_numeric($_GET['month'])) {
39	$month = $_GET['month'];	39	$month = $_GET['month'];
40	}	40	}
41	elseif (isset($_POST['month'])) {	41	elseif (isset($_POST['month']) && is_numeric($_POST['month'])) {
42	$month = $_POST['month'];	42	$month = $_POST['month'];
43	}	43	}
44	if (isset($_GET['day'])) {	44	if (isset($_GET['day']) && is_numeric($_GET['day'])) {
45	$day = $_GET['day'];	45	$day = $_GET['day'];
46	}	46	}
47	elseif (isset($_POST['day'])) {	47	elseif (isset($_POST['day']) && is_numeric($_POST['day'])) {
48	$day = $_POST['day'];	48	$day = $_POST['day'];
49	}	49	}
50		50

Lines 33-54 Link Here

(-)squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php (-17 / +17 lines)
33	if (isset($_POST['updated'])) {	33	if (isset($_POST['updated'])) {
34	$updated = $_POST['updated'];	34	$updated = $_POST['updated'];
35	}	35	}
36	if (isset($_POST['event_year'])) {	36	if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) {
37	$event_year = $_POST['event_year'];	37	$event_year = $_POST['event_year'];
38	}	38	}
39	if (isset($_POST['event_month'])) {	39	if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) {
40	$event_month = $_POST['event_month'];	40	$event_month = $_POST['event_month'];
41	}	41	}
42	if (isset($_POST['event_day'])) {	42	if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) {
43	$event_day = $_POST['event_day'];	43	$event_day = $_POST['event_day'];
44	}	44	}
45	if (isset($_POST['event_hour'])) {	45	if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
46	$event_hour = $_POST['event_hour'];	46	$event_hour = $_POST['event_hour'];
47	}	47	}
48	if (isset($_POST['event_minute'])) {	48	if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
49	$event_minute = $_POST['event_minute'];	49	$event_minute = $_POST['event_minute'];
50	}	50	}
51	if (isset($_POST['event_length'])) {	51	if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
52	$event_length = $_POST['event_length'];	52	$event_length = $_POST['event_length'];
53	}	53	}
54	if (isset($_POST['event_title'])) {	54	if (isset($_POST['event_title'])) {
Lines 60-99 Link Here
60	if (isset($_POST['send'])) {	60	if (isset($_POST['send'])) {
61	$send = $_POST['send'];	61	$send = $_POST['send'];
62	}	62	}
63	if (isset($_POST['event_priority'])) {	63	if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
64	$event_priority = $_POST['event_priority'];	64	$event_priority = $_POST['event_priority'];
65	}	65	}
66	if (isset($_POST['confirmed'])) {	66	if (isset($_POST['confirmed'])) {
67	$confirmed = $_POST['confirmed'];	67	$confirmed = $_POST['confirmed'];
68	}	68	}
69	if (isset($_POST['year'])) {	69	if (isset($_POST['year']) && is_numeric($_POST['year'])) {
70	$year = $_POST['year'];	70	$year = $_POST['year'];
71	}	71	}
72	elseif (isset($_GET['year'])) {	72	elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
73	$year = $_GET['year'];	73	$year = $_GET['year'];
74	}	74	}
75	if (isset($_POST['month'])) {	75	if (isset($_POST['month']) && is_numeric($_POST['month'])) {
76	$month = $_POST['month'];	76	$month = $_POST['month'];
77	}	77	}
78	elseif (isset($_GET['month'])) {	78	elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
79	$month = $_GET['month'];	79	$month = $_GET['month'];
80	}	80	}
81	if (isset($_POST['day'])) {	81	if (isset($_POST['day']) && is_numeric($_POST['day'])) {
82	$day = $_POST['day'];	82	$day = $_POST['day'];
83	}	83	}
84	elseif (isset($_GET['day'])) {	84	elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
85	$day = $_GET['day'];	85	$day = $_GET['day'];
86	}	86	}
87	if (isset($_POST['hour'])) {	87	if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
88	$hour = $_POST['hour'];	88	$hour = $_POST['hour'];
89	}	89	}
90	elseif (isset($_GET['hour'])) {	90	elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
91	$hour = $_GET['hour'];	91	$hour = $_GET['hour'];
92	}	92	}
93	if (isset($_POST['minute'])) {	93	if (isset($_POST['minute']) && is_numeric($_POST['minute'])) {
94	$minute = $_POST['minute'];	94	$minute = $_POST['minute'];
95	}	95	}
96	elseif (isset($_GET['minute'])) {	96	elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) {
97	$minute = $_GET['minute'];	97	$minute = $_GET['minute'];
98	}	98	}
99	/* got 'em */	99	/* got 'em */

Lines 279-285 Link Here

(-)squirrelmail-1.4.4.orig/src/addressbook.php (-2 / +3 lines)
279	html_tag( 'tr',	279	html_tag( 'tr',
280	html_tag( 'td',	280	html_tag( 'td',
281	"\n". '<strong><font color="' . $color[2] .	281	"\n". '<strong><font color="' . $color[2] .
282	'">' . _("ERROR") . ': ' . $abook->error . '</font></strong>' ."\n",	282	'">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '</font></strong>' ."\n",
283	'center' )	283	'center' )
284	),	284	),
285	'center', '', 'width="100%"' );	285	'center', '', 'width="100%"' );
Lines 331-337 Link Here
331	html_tag( 'tr',	331	html_tag( 'tr',
332	html_tag( 'td',	332	html_tag( 'td',
333	"\n". '<br /><strong><font color="' . $color[2] .	333	"\n". '<br /><strong><font color="' . $color[2] .
334	'">' . _("ERROR") . ': ' . $formerror . '</font></strong>' ."\n",	334	'">' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '</font></strong>' ."\n",
335	'center' )	335	'center' )
336	),	336	),
337	'center', '', 'width="100%"' );	337	'center', '', 'width="100%"' );
Lines 343-348 Link Here
343	/* Get and sort address list */	343	/* Get and sort address list */
344	$alist = $abook->list_addr();	344	$alist = $abook->list_addr();
345	if(!is_array($alist)) {	345	if(!is_array($alist)) {
		346	htmlspecialchars($abook_error);
346	plain_error_message($abook->error, $color);	347	plain_error_message($abook->error, $color);
347	exit;	348	exit;
348	}	349	}