Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 61134 Details for
Bug 95937
mail-client/squirrelmail: XSS issues (CAN-2005-1769)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
sqm-144-xss.patch
sqm-144-xss.patch (text/plain), 23.44 KB, created by
Thierry Carrez (RETIRED)
on 2005-06-13 02:05:55 UTC
(
hide
)
Description:
sqm-144-xss.patch
Filename:
MIME Type:
Creator:
Thierry Carrez (RETIRED)
Created:
2005-06-13 02:05:55 UTC
Size:
23.44 KB
patch
obsolete
>Only in squirrelmail-1.4.4/config: config.php >diff -uwr squirrelmail-1.4.4.orig/functions/addressbook.php squirrelmail-1.4.4/functions/addressbook.php >--- squirrelmail-1.4.4.orig/functions/addressbook.php Mon Dec 27 16:03:42 2004 >+++ squirrelmail-1.4.4/functions/addressbook.php Thu Jun 9 15:37:27 2005 >@@ -108,7 +108,7 @@ > if (!$r && $showerr) { > printf( ' ' . _("Error initializing LDAP server %s:") . > "<br />\n", $param['host']); >- echo ' ' . $abook->error; >+ echo ' ' . htmlspecialchars($abook->error); > exit; > } > } >@@ -239,7 +239,7 @@ > if (is_array($res)) { > $ret = array_merge($ret, $res); > } else { >- $this->error .= "<br />\n" . $backend->error; >+ $this->error .= "\n" . $backend->error; > $failed++; > } > } >@@ -255,7 +255,7 @@ > > $ret = $this->backends[$bnum]->search($expression); > if (!is_array($ret)) { >- $this->error .= "<br />\n" . $this->backends[$bnum]->error; >+ $this->error .= "\n" . $this->backends[$bnum]->error; > $ret = FALSE; > } > } >diff -uwr squirrelmail-1.4.4.orig/functions/mime.php squirrelmail-1.4.4/functions/mime.php >--- squirrelmail-1.4.4.orig/functions/mime.php Mon Jan 10 19:52:48 2005 >+++ squirrelmail-1.4.4/functions/mime.php Sun Jun 12 22:47:40 2005 >@@ -847,6 +847,16 @@ > /** > ** HTMLFILTER ROUTINES > */ >+function sq_unbackslash($attvalue){ >+ /** >+ * Remove any backslashes. See if there are any first. >+ */ >+ >+ if (strstr($attvalue, '\\') !== false){ >+ $attvalue = stripslashes($attvalue); >+ } >+ return $attvalue; >+} > > /** > * This function checks attribute values for entity-encoded values >@@ -1301,25 +1311,44 @@ > * @param $hex whether the entites are hexadecimal. > * @return True or False depending on whether there were matches. > */ >-function sq_deent(&$attvalue, $regex, $hex=false){ >+function sq_deent($attvalue){ > $me = 'sq_deent'; >- $ret_match = false; >- preg_match_all($regex, $attvalue, $matches); >- if (is_array($matches) && sizeof($matches[0]) > 0){ >- $repl = Array(); >- for ($i = 0; $i < sizeof($matches[0]); $i++){ >- $numval = $matches[1][$i]; >- if ($hex){ >- $numval = hexdec($numval); >+ /** >+ * See if we have to run the checks first. All entities must start >+ * with "&". >+ */ >+ if (strpos($attvalue, '&') === false){ >+ return $attvalue; > } >- $repl{$matches[0][$i]} = chr($numval); >+ /** >+ * Check named entities first. >+ */ >+ $trans = get_html_translation_table(HTML_ENTITIES); >+ /** >+ * Leave " in, as it can mess us up. >+ */ >+ $trans = array_flip($trans); >+ unset($trans{'"'}); >+ while (list($ent, $val) = each($trans)){ >+ $attvalue = preg_replace('/' . $ent . '*/si', $val, $attvalue); > } >- $attvalue = strtr($attvalue, $repl); >- return true; >- } else { >- return false; >+ /** >+ * Now translate numbered entities from 1 to 255 if needed. >+ */ >+ if (strpos($attvalue, '#') !== false){ >+ $omit = Array(34, 39); >+ for ($asc = 256; $asc >= 0; $asc--){ >+ if (!in_array($asc, $omit)){ >+ $chr = chr($asc); >+ $octrule = '/\�*' . $asc . ';*/si'; >+ $hexrule = '/\�*' . dechex($asc) . ';*/si'; >+ $attvalue = preg_replace($octrule, $chr, $attvalue); >+ $attvalue = preg_replace($hexrule, $chr, $attvalue); > } > } >+ } >+ return $attvalue; >+} > > /** > * This function runs various checks against the attributes. >@@ -1436,27 +1465,52 @@ > /** > * Fix url('blah') declarations. > */ >- $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si", >- "url(\\1$secremoveimg\\2)", $content); >+ // remove NUL >+ $content = str_replace("\0", "", $content); >+ // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop. >+ while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) { >+ $sProto = strtolower($matches[1]); >+ switch ($sProto) { > /** > * Fix url('https*://.*) declarations but only if $view_unsafe_images > * is false. > */ >+ case 'https': >+ case 'http': > if (!$view_unsafe_images){ > $content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si", >- "url(\\1$secremoveimg\\2)", $content); >+ "u\0r\0l(\\1$secremoveimg\\2)", $content); > } >- >+ break; > /** > * Fix urls that refer to cid: > */ >- while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si", >- $content, $matches)){ >- $cidurl = $matches{1}; >+ case 'cid': >+ $cidurl = 'cid:'. $matches[2]; > $httpurl = sq_cid2http($message, $id, $cidurl, $mailbox); > $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si", >- "url($httpurl)", $content); >+ "u\0r\0l($httpurl)", $content); >+ break; >+ default: >+ /** >+ * replace url with protocol other then the white list >+ * http,https and cid by an empty string. >+ */ >+ $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", >+ "", $content); >+ break; >+ } >+ break; > } >+ // remove NUL >+ $content = str_replace("\0", "", $content); >+ >+ /** >+ * Remove any backslashes, entities, and extraneous whitespace. >+ */ >+ $contentTemp = sq_unbackslash($content); >+ $contentTemp = sq_deent($contentTemp); >+ $contentTemp = sq_unspace($contentTemp); > > /** > * Fix stupid css declarations which lead to vulnerabilities >@@ -1467,7 +1521,12 @@ > '/binding/i', > '/include-source/i'); > $replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy'); >- $content = preg_replace($match, $replace, $content); >+ $contentNew = preg_replace($match, $replace, $contentTemp); >+ if ($contentNew !== $contentTemp) { >+ // insecure css declarations are used. From now on we don't care >+ // anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash >+ $content = $contentNew; >+ } > return array($content, $newpos); > } > >@@ -1754,7 +1813,8 @@ > "embed", > "title", > "frameset", >- "xml" >+ "xml", >+ "xmp" > ); > > $self_closing_tags = Array( >diff -uwr squirrelmail-1.4.4.orig/functions/page_header.php squirrelmail-1.4.4/functions/page_header.php >--- squirrelmail-1.4.4.orig/functions/page_header.php Mon Dec 27 22:08:58 2004 >+++ squirrelmail-1.4.4/functions/page_header.php Thu Jun 9 15:33:05 2005 >@@ -275,6 +275,7 @@ > : html_tag( 'td', '', 'left' ) ) > . "\n"; > $urlMailbox = urlencode($mailbox); >+ $startMessage = (int)$startMessage; > echo makeComposeLink('src/compose.php?mailbox='.$urlMailbox.'&startMessage='.$startMessage); > echo " \n"; > displayInternalLink ('src/addressbook.php', _("Addresses")); >diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/calendar.php squirrelmail-1.4.4/plugins/calendar/calendar.php >--- squirrelmail-1.4.4.orig/plugins/calendar/calendar.php Mon Dec 27 16:03:49 2004 >+++ squirrelmail-1.4.4/plugins/calendar/calendar.php Thu Jun 9 15:33:05 2005 >@@ -29,16 +29,16 @@ > > /* get globals */ > >-if (isset($_GET['month'])) { >+if (isset($_GET['month']) && is_numeric($_GET['month'])) { > $month = $_GET['month']; > } >-if (isset($_GET['year'])) { >+if (isset($_GET['year']) && is_numeric($_GET['year'])) { > $year = $_GET['year']; > } >-if (isset($_POST['year'])) { >+if (isset($_POST['year']) && is_numeric($_POST['year'])) { > $year = $_POST['year']; > } >-if (isset($_POST['month'])) { >+if (isset($_POST['month']) && is_numeric($_POST['month'])) { > $month = $_POST['month']; > } > /* got 'em */ >diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/day.php squirrelmail-1.4.4/plugins/calendar/day.php >--- squirrelmail-1.4.4.orig/plugins/calendar/day.php Mon Dec 27 16:03:49 2004 >+++ squirrelmail-1.4.4/plugins/calendar/day.php Thu Jun 9 15:33:05 2005 >@@ -29,22 +29,22 @@ > require_once(SM_PATH . 'functions/html.php'); > > /* get globals */ >-if (isset($_GET['year'])) { >+if (isset($_GET['year']) && is_numeric($_GET['year'])) { > $year = $_GET['year']; > } >-elseif (isset($_POST['year'])) { >+elseif (isset($_POST['year']) && is_numeric($_POST['year'])) { > $year = $_POST['year']; > } >-if (isset($_GET['month'])) { >+if (isset($_GET['month']) && is_numeric($_GET['month'])) { > $month = $_GET['month']; > } >-elseif (isset($_POST['month'])) { >+elseif (isset($_POST['month']) && is_numeric($_POST['month'])) { > $month = $_POST['month']; > } >-if (isset($_GET['day'])) { >+if (isset($_GET['day']) && is_numeric($_GET['day'])) { > $day = $_GET['day']; > } >-elseif (isset($_POST['day'])) { >+elseif (isset($_POST['day']) && is_numeric($_POST['day'])) { > $day = $_POST['day']; > } > >diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/event_create.php squirrelmail-1.4.4/plugins/calendar/event_create.php >--- squirrelmail-1.4.4.orig/plugins/calendar/event_create.php Mon Dec 27 16:03:49 2004 >+++ squirrelmail-1.4.4/plugins/calendar/event_create.php Thu Jun 9 15:33:05 2005 >@@ -29,40 +29,40 @@ > > /* get globals */ > >-if (isset($_POST['year'])) { >+if (isset($_POST['year']) && is_numeric($_POST['year'])) { > $year = $_POST['year']; > } >-elseif (isset($_GET['year'])) { >+elseif (isset($_GET['year']) && is_numeric($_GET['year'])) { > $year = $_GET['year']; > } >-if (isset($_POST['month'])) { >+if (isset($_POST['month']) && is_numeric($_POST['month'])) { > $month = $_POST['month']; > } >-elseif (isset($_GET['month'])) { >+elseif (isset($_GET['month']) && is_numeric($_GET['month'])) { > $month = $_GET['month']; > } >-if (isset($_POST['day'])) { >+if (isset($_POST['day']) && is_numeric($_POST['day'])) { > $day = $_POST['day']; > } >-elseif (isset($_GET['day'])) { >+elseif (isset($_GET['day']) && is_numeric($_GET['day'])) { > $day = $_GET['day']; > } >-if (isset($_POST['hour'])) { >+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) { > $hour = $_POST['hour']; > } >-elseif (isset($_GET['hour'])) { >+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) { > $hour = $_GET['hour']; > } >-if (isset($_POST['event_hour'])) { >+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) { > $event_hour = $_POST['event_hour']; > } >-if (isset($_POST['event_minute'])) { >+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) { > $event_minute = $_POST['event_minute']; > } >-if (isset($_POST['event_length'])) { >+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) { > $event_length = $_POST['event_length']; > } >-if (isset($_POST['event_priority'])) { >+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) { > $event_priority = $_POST['event_priority']; > } > if (isset($_POST['event_title'])) { >diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php squirrelmail-1.4.4/plugins/calendar/event_edit.php >--- squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php Mon Dec 27 16:03:49 2004 >+++ squirrelmail-1.4.4/plugins/calendar/event_edit.php Thu Jun 9 15:33:05 2005 >@@ -33,22 +33,22 @@ > if (isset($_POST['updated'])) { > $updated = $_POST['updated']; > } >-if (isset($_POST['event_year'])) { >+if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) { > $event_year = $_POST['event_year']; > } >-if (isset($_POST['event_month'])) { >+if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) { > $event_month = $_POST['event_month']; > } >-if (isset($_POST['event_day'])) { >+if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) { > $event_day = $_POST['event_day']; > } >-if (isset($_POST['event_hour'])) { >+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) { > $event_hour = $_POST['event_hour']; > } >-if (isset($_POST['event_minute'])) { >+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) { > $event_minute = $_POST['event_minute']; > } >-if (isset($_POST['event_length'])) { >+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) { > $event_length = $_POST['event_length']; > } > if (isset($_POST['event_title'])) { >@@ -60,40 +60,40 @@ > if (isset($_POST['send'])) { > $send = $_POST['send']; > } >-if (isset($_POST['event_priority'])) { >+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) { > $event_priority = $_POST['event_priority']; > } > if (isset($_POST['confirmed'])) { > $confirmed = $_POST['confirmed']; > } >-if (isset($_POST['year'])) { >+if (isset($_POST['year']) && is_numeric($_POST['year'])) { > $year = $_POST['year']; > } >-elseif (isset($_GET['year'])) { >+elseif (isset($_GET['year']) && is_numeric($_GET['year'])) { > $year = $_GET['year']; > } >-if (isset($_POST['month'])) { >+if (isset($_POST['month']) && is_numeric($_POST['month'])) { > $month = $_POST['month']; > } >-elseif (isset($_GET['month'])) { >+elseif (isset($_GET['month']) && is_numeric($_GET['month'])) { > $month = $_GET['month']; > } >-if (isset($_POST['day'])) { >+if (isset($_POST['day']) && is_numeric($_POST['day'])) { > $day = $_POST['day']; > } >-elseif (isset($_GET['day'])) { >+elseif (isset($_GET['day']) && is_numeric($_GET['day'])) { > $day = $_GET['day']; > } >-if (isset($_POST['hour'])) { >+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) { > $hour = $_POST['hour']; > } >-elseif (isset($_GET['hour'])) { >+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) { > $hour = $_GET['hour']; > } >-if (isset($_POST['minute'])) { >+if (isset($_POST['minute']) && is_numeric($_POST['minute'])) { > $minute = $_POST['minute']; > } >-elseif (isset($_GET['minute'])) { >+elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) { > $minute = $_GET['minute']; > } > /* got 'em */ >diff -uwr squirrelmail-1.4.4.orig/plugins/filters/options.php squirrelmail-1.4.4/plugins/filters/options.php >--- squirrelmail-1.4.4.orig/plugins/filters/options.php Mon Dec 27 16:03:57 2004 >+++ squirrelmail-1.4.4/plugins/filters/options.php Sun Jun 12 22:35:35 2005 >@@ -189,7 +189,7 @@ > html_tag( 'td', '', 'left' ) . > '<input type="text" size="32" name="filter_what" value="'; > if (isset($filters[$theid]['what'])) { >- echo $filters[$theid]['what']; >+ echo htmlspecialchars($filters[$theid]['what']); > } > echo '" />'. > '</td>'. >diff -uwr squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php squirrelmail-1.4.4/plugins/filters/spamoptions.php >--- squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php Mon Dec 27 16:03:57 2004 >+++ squirrelmail-1.4.4/plugins/filters/spamoptions.php Sun Jun 12 22:36:03 2005 >@@ -199,7 +199,7 @@ > echo html_tag( 'p', '', 'center' ) . > '[<a href="spamoptions.php?action=spam">' . _("Edit") . '</a>]' . > ' - [<a href="../../src/options.php">' . _("Done") . '</a>]</center><br /><br />'; >- printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.imap_utf7_decode_local($filters_spam_folder).'</b>':'[<i>'._("not set yet").'</i>]' ) ); >+ printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'</b>':'[<i>'._("not set yet").'</i>]' ) ); > echo '<br />'; > printf( _("Spam scan is limited to %s."), '<b>' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '</b>' ); > echo '</p>'. >diff -uwr squirrelmail-1.4.4.orig/plugins/listcommands/mailout.php squirrelmail-1.4.4/plugins/listcommands/mailout.php >--- squirrelmail-1.4.4.orig/plugins/listcommands/mailout.php Mon Dec 27 16:03:58 2004 >+++ squirrelmail-1.4.4/plugins/listcommands/mailout.php Thu Jun 9 15:33:05 2005 >@@ -25,14 +25,6 @@ > sqgetGlobalVar('body', $body, SQ_GET); > sqgetGlobalVar('action', $action, SQ_GET); > >-echo html_tag('p', '', 'left' ) . >-html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" . >- html_tag( 'tr', >- html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] ) >- ) . >- html_tag( 'tr' ) . >- html_tag( 'td', '', 'left' ); >- > switch ( $action ) { > case 'help': > $out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below."); >@@ -42,7 +34,19 @@ > break; > case 'unsubscribe': > $out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below."); >+default: >+ error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)), $color); >+ exit; > } >+ >+echo html_tag('p', '', 'left' ) . >+html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" . >+ html_tag( 'tr', >+ html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] ) >+ ) . >+ html_tag( 'tr' ) . >+ html_tag( 'td', '', 'left' ); >+ > > printf( $out_string, htmlspecialchars($send_to) ); > >Only in squirrelmail-1.4.4/plugins/listcommands: mailout.php.orig >diff -uwr squirrelmail-1.4.4.orig/plugins/newmail/newmail.php squirrelmail-1.4.4/plugins/newmail/newmail.php >--- squirrelmail-1.4.4.orig/plugins/newmail/newmail.php Mon Dec 27 16:03:58 2004 >+++ squirrelmail-1.4.4/plugins/newmail/newmail.php Thu Jun 9 15:33:05 2005 >@@ -22,6 +22,7 @@ > require_once(SM_PATH . 'functions/page_header.php'); > > sqGetGlobalVar('numnew', $numnew, SQ_GET); >+$numnew = (int)$numnew; > > displayHtmlHeader( _("New Mail"), '', FALSE ); > >diff -uwr squirrelmail-1.4.4.orig/plugins/spamcop/setup.php squirrelmail-1.4.4/plugins/spamcop/setup.php >--- squirrelmail-1.4.4.orig/plugins/spamcop/setup.php Mon Dec 27 16:03:58 2004 >+++ squirrelmail-1.4.4/plugins/spamcop/setup.php Sun Jun 12 22:36:52 2005 >@@ -75,6 +75,9 @@ > sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM); > sqgetGlobalVar('mailbox', $mailbox, SQ_FORM); > sqgetGlobalVar('startMessage', $startMessage, SQ_FORM); >+ if ( sqgetGlobalVar('startMessage', $startMessage, SQ_FORM) ) { >+ $startMessage = (int)$startMessage; >+ } > /* END GLOBALS */ > > // catch unset passed_ent_id >diff -uwr squirrelmail-1.4.4.orig/plugins/squirrelspell/modules/lang_change.mod squirrelmail-1.4.4/plugins/squirrelspell/modules/lang_change.mod >--- squirrelmail-1.4.4.orig/plugins/squirrelspell/modules/lang_change.mod Sat Jun 12 18:39:48 2004 >+++ squirrelmail-1.4.4/plugins/squirrelspell/modules/lang_change.mod Thu Jun 9 15:33:05 2005 >@@ -69,11 +69,11 @@ > $lang_array = explode( ',', $lang_string ); > $dsp_string = ''; > foreach( $lang_array as $a) { >- $dsp_string .= _(trim($a)) . ', '; >+ $dsp_string .= _(htmlspecialchars(trim($a))) . ', '; > } > $dsp_string = substr( $dsp_string, 0, -2 ); > $msg = '<p>' >- . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), '<strong>'.$dsp_string.'</strong>', '<strong>'._($lang_default).'</strong>') >+ . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), '<strong>'.$dsp_string.'</strong>', '<strong>'._(htmlspecialchars($lang_default)).'</strong>') > . '</p>'; > } else { > /** >diff -uwr squirrelmail-1.4.4.orig/src/addressbook.php squirrelmail-1.4.4/src/addressbook.php >--- squirrelmail-1.4.4.orig/src/addressbook.php Mon Dec 27 16:03:59 2004 >+++ squirrelmail-1.4.4/src/addressbook.php Thu Jun 9 15:34:15 2005 >@@ -279,7 +279,7 @@ > html_tag( 'tr', > html_tag( 'td', > "\n". '<strong><font color="' . $color[2] . >- '">' . _("ERROR") . ': ' . $abook->error . '</font></strong>' ."\n", >+ '">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '</font></strong>' ."\n", > 'center' ) > ), > 'center', '', 'width="100%"' ); >@@ -331,7 +331,7 @@ > html_tag( 'tr', > html_tag( 'td', > "\n". '<br /><strong><font color="' . $color[2] . >- '">' . _("ERROR") . ': ' . $formerror . '</font></strong>' ."\n", >+ '">' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '</font></strong>' ."\n", > 'center' ) > ), > 'center', '', 'width="100%"' ); >@@ -343,6 +343,7 @@ > /* Get and sort address list */ > $alist = $abook->list_addr(); > if(!is_array($alist)) { >+ htmlspecialchars($abook_error); > plain_error_message($abook->error, $color); > exit; > } >diff -uwr squirrelmail-1.4.4.orig/src/compose.php squirrelmail-1.4.4/src/compose.php >--- squirrelmail-1.4.4.orig/src/compose.php Mon Jan 3 16:06:28 2005 >+++ squirrelmail-1.4.4/src/compose.php Thu Jun 9 15:38:42 2005 >@@ -76,6 +76,11 @@ > sqgetGlobalVar('saved_draft',$saved_draft); > sqgetGlobalVar('delete_draft',$delete_draft); > sqgetGlobalVar('startMessage',$startMessage); >+if ( sqgetGlobalVar('startMessage',$startMessage) ) { >+ $startMessage = (int)$startMessage; >+} else { >+ $startMessage = 1; >+} } > > /** POST VARS */ > sqgetGlobalVar('sigappend', $sigappend, SQ_POST); >diff -uwr squirrelmail-1.4.4.orig/src/printer_friendly_bottom.php squirrelmail-1.4.4/src/printer_friendly_bottom.php >--- squirrelmail-1.4.4.orig/src/printer_friendly_bottom.php Tue Dec 28 14:02:49 2004 >+++ squirrelmail-1.4.4/src/printer_friendly_bottom.php Thu Jun 9 15:33:05 2005 >@@ -33,7 +33,8 @@ > sqgetGlobalVar('passed_id', $passed_id, SQ_GET); > sqgetGlobalVar('mailbox', $mailbox, SQ_GET); > >-if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) ) { >+if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) || >+ ! preg_match('/^\d+(\.\d+)*$/', $passed_ent_id) ) { > $passed_ent_id = ''; > } > /* end globals */ >diff -uwr squirrelmail-1.4.4.orig/src/right_main.php squirrelmail-1.4.4/src/right_main.php >--- squirrelmail-1.4.4.orig/src/right_main.php Mon Dec 27 16:04:00 2004 >+++ squirrelmail-1.4.4/src/right_main.php Thu Jun 9 15:33:05 2005 >@@ -165,7 +165,7 @@ > > do_hook('right_main_after_header'); > if (isset($note)) { >- echo html_tag( 'div', '<b>' . $note .'</b>', 'center' ) . "<br />\n"; >+ echo html_tag( 'div', '<b>' . htmlspecialchars($note) .'</b>', 'center' ) . "<br />\n"; > } > > if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=61134">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 95937
:
61134
|
61189
|
61245
