Attachment #61189 for bug #95937




                if (!$r && $showerr) {
                    printf( '&nbsp;' . _("Error initializing LDAP server %s:") .
                            "<br />\n", $param['host']);
                    echo '&nbsp;' . htmlspecialchars($abook->error);
                    exit;
                }
            }

                if (is_array($res)) {
                    $ret = array_merge($ret, $res);
                } else {
                    $this->error .= "\n" . $backend->error;
                    $failed++;
                }
            }

            $ret = $this->backends[$bnum]->search($expression);
            if (!is_array($ret)) {
                $this->error .= "\n" . $this->backends[$bnum]->error;
                $ret = FALSE;
            }
        }




                }
            }
        }

        /**
         * Replace empty src tags with the blank image.  src is only used
         * for frames, images, and image inputs.  Doing a replace should
         * not affect them working as should be, however it will stop
         * IE from being kicked off when src for img tags are not set
         */
        if (($attname == 'src') && ($attvalue == '""')) {
            $attary{$attname} = '"' . SM_PATH . 'images/blank.png"';
        }

        /**
         * Turn cid: urls into http-friendly ones.
         */
        if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){
            $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
        }

        /**
         * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags.
         * One day MS might actually make it match something useful, for now, falling
         * back to using cid2http, so we can grab the blank.png.
         */
        if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) {
            $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
        }

    }
    /**
     * See if we need to append any attributes to this tag.

/**
 * This function edits the style definition to make them friendly and
 * usable in SquirrelMail.
 *
 * @param  $message  the message object
 * @param  $id       the message id

    /**
     * Fix url('blah') declarations.
     */
    //   $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
    //                           "url(\\1$secremoveimg\\2)", $content);
    // remove NUL
    $content = str_replace("\0", "", $content);
    // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
    while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) {
        $sProto = strtolower($matches[1]);
        switch ($sProto) {
    /**
     * Fix url('https*://.*) declarations but only if $view_unsafe_images
     * is false.
     */
          case 'https':
          case 'http':
    if (!$view_unsafe_images){
                $sExpr = "/url\s*\(\s*([\'\"])\s*$sProto*:.*?([\'\"])\s*\)/si";
                $content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content);
    }
            break;
    /**
     * Fix urls that refer to cid:
     */
          case 'cid':
            $cidurl = 'cid:'. $matches[2];
        $cidurl = $matches{1};
        $httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
        $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si",
                                "u\0r\0l($httpurl)", $content);
            break;
          default:
            /**
             * replace url with protocol other then the white list
             * http,https and cid by an empty string.
             */
            $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si",
                                "", $content);
            break;
    }
        break;
    }
    // remove NUL
    $content = str_replace("\0", "", $content);

   /**
    * Remove any backslashes, entities, and extraneous whitespace.
    */
    $contentTemp = $content;
    sq_defang($contentTemp);
    sq_unspace($contentTemp);
    /**
     * Fix stupid css declarations which lead to vulnerabilities

                     '/binding/i',
                     '/include-source/i');
    $replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');
    $contentNew = preg_replace($match, $replace, $contentTemp);
    if ($contentNew !== $contentTemp) {
        // insecure css declarations are used. From now on we don't care
        // anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash
        $content = $contentNew;
    }
    return array($content, $newpos);
}

/**
 * This function converts cid: url's into the ones that can be viewed in
 * the browser.

        $quotchar = '';
    }
    $cidurl = substr(trim($cidurl), 4);

    $match_str = '/\{.*?\}\//';
    $str_rep = '';
    $cidurl = preg_replace($match_str, $str_rep, $cidurl);

    $linkurl = find_ent_id($cidurl, $message);
    /* in case of non-save cid links $httpurl should be replaced by a sort of
       unsave link image */
    $httpurl = '';

    /**
     * This is part of a fix for Outlook Express 6.x generating
     * cid URLs without creating content-id headers. These images are
     * not part of the multipart/related html mail. The html contains
     * <img src="cid:{some_id}/image_filename.ext"> references to
     * attached images with as goal to render them inline although
     * the attachment disposition property is not inline.
     */

    if (empty($linkurl)) {
        if (preg_match('/{.*}\//', $cidurl)) {
            $cidurl = preg_replace('/{.*}\//','', $cidurl);
            if (!empty($cidurl)) {
                $linkurl = find_ent_id($cidurl, $message);
            }
        }
    }

    if (!empty($linkurl)) {
        $httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&amp;' .
                   "passed_id=$id&amp;mailbox=" . urlencode($mailbox) .
                   '&amp;ent_id=' . $linkurl . $quotchar;
    } else {
        /**
         * If we couldn't generate a proper img url, drop in a blank image
         * instead of sending back empty, otherwise it causes unusual behaviour
         */
        $httpurl = $quotchar . SM_PATH . 'images/blank.png';
    }

    return $httpurl;
}

            $attvalue = str_replace($quotchar, "", $attvalue);
            switch ($attname){
                case 'background':
                    $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
                                            $attvalue, $mailbox);
                    $styledef .= "background-image: url('$attvalue'); ";
                    break;
                case 'bgcolor':

                                  "embed",
                                  "title",
                                  "frameset",
            "xmp",
                                  "xml"
                                  );

                                "img",
                                "br",
                                "hr",
            "input",
            "outbind"
                                );
    $force_tag_closing = true;

                                "/binding/i",
                                "/behaviou*r/i",
                                "/include-source/i",
                    "/position\s*:\s*absolute/i",
                                "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
                                "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
                                "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si",

                                "idiocy",
                                "idiocy",
                                "idiocy",
                    "",
                                "url(\\1#\\1)",
                                "url(\\1#\\1)",
                                "url(\\1#\\1)",

    $add_attr_to_tag = Array(
        "/^a$/i" =>
            Array('target'=>'"_blank"',
                  'title'=>'"'._("This external link will open in a new window").'"'
            )
    );

Lines 275-280 Link Here

(-)squirrelmail-1.4.4.orig/functions/page_header.php (+1 lines)
275	: html_tag( 'td', '', 'left' ) )	275	: html_tag( 'td', '', 'left' ) )
276	. "\n";	276	. "\n";
277	$urlMailbox = urlencode($mailbox);	277	$urlMailbox = urlencode($mailbox);
		278	$startMessage = (int)$startMessage;
278	echo makeComposeLink('src/compose.php?mailbox='.$urlMailbox.'&startMessage='.$startMessage);	279	echo makeComposeLink('src/compose.php?mailbox='.$urlMailbox.'&startMessage='.$startMessage);
279	echo "  \n";	280	echo "  \n";
280	displayInternalLink ('src/addressbook.php', _("Addresses"));	281	displayInternalLink ('src/addressbook.php', _("Addresses"));




/* get globals */
if (isset($_GET['month']) && is_numeric($_GET['month'])) {
    $month = $_GET['month'];
}
if (isset($_GET['year']) && is_numeric($_GET['year'])) {
    $year = $_GET['year'];
}
if (isset($_POST['year']) && is_numeric($_POST['year'])) {
    $year = $_POST['year'];
}
if (isset($_POST['month']) && is_numeric($_POST['month'])) {
    $month = $_POST['month'];
}
/* got 'em */




require_once(SM_PATH . 'functions/html.php');
/* get globals */
if (isset($_GET['year']) && is_numeric($_GET['year'])) {
    $year = $_GET['year'];
}
elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
    $year = $_POST['year'];
}
if (isset($_GET['month']) && is_numeric($_GET['month'])) {
    $month = $_GET['month'];
}
elseif (isset($_POST['month']) && is_numeric($_POST['month'])) {
    $month = $_POST['month'];
}
if (isset($_GET['day']) && is_numeric($_GET['day'])) {
    $day = $_GET['day'];
}
elseif (isset($_POST['day']) && is_numeric($_POST['day'])) {
    $day = $_POST['day'];
}




/* get globals */
if (isset($_POST['year']) && is_numeric($_POST['year'])) {
    $year = $_POST['year'];
}
elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
    $year = $_GET['year'];
}
if (isset($_POST['month']) && is_numeric($_POST['month'])) {
    $month = $_POST['month'];
}
elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
    $month = $_GET['month'];
}
if (isset($_POST['day']) && is_numeric($_POST['day'])) {
    $day = $_POST['day'];
}
elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
    $day = $_GET['day'];
}
if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
    $hour = $_POST['hour'];
}
elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
    $hour = $_GET['hour'];
}
if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
    $event_hour = $_POST['event_hour'];
}
if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
    $event_minute = $_POST['event_minute'];
}
if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
    $event_length = $_POST['event_length'];
}
if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
    $event_priority = $_POST['event_priority'];
}
if (isset($_POST['event_title'])) {




if (isset($_POST['updated'])) {
    $updated = $_POST['updated'];
}
if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) {
    $event_year = $_POST['event_year'];
}
if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) {
    $event_month = $_POST['event_month'];
}
if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) {
    $event_day = $_POST['event_day'];
}
if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
    $event_hour = $_POST['event_hour'];
}
if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
    $event_minute = $_POST['event_minute'];
}
if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
    $event_length = $_POST['event_length'];
}
if (isset($_POST['event_title'])) {

if (isset($_POST['send'])) {
    $send = $_POST['send'];
}
if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
    $event_priority = $_POST['event_priority'];
}
if (isset($_POST['confirmed'])) {
    $confirmed = $_POST['confirmed'];
}
if (isset($_POST['year']) && is_numeric($_POST['year'])) {
    $year = $_POST['year'];
}
elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
    $year = $_GET['year'];
}
if (isset($_POST['month']) && is_numeric($_POST['month'])) {
    $month = $_POST['month'];
}
elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
    $month = $_GET['month'];
}
if (isset($_POST['day']) && is_numeric($_POST['day'])) {
    $day = $_POST['day'];
}
elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
    $day = $_GET['day'];
}
if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
    $hour = $_POST['hour'];
}
elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
    $hour = $_GET['hour'];
}
if (isset($_POST['minute']) && is_numeric($_POST['minute'])) {
    $minute = $_POST['minute'];
}
elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) {
    $minute = $_GET['minute'];
}
/* got 'em */

Lines 189-195 Link Here

(-)squirrelmail-1.4.4.orig/plugins/filters/options.php (-1 / +1 lines)
189	html_tag( 'td', '', 'left' ) .	189	html_tag( 'td', '', 'left' ) .
190	'<input type="text" size="32" name="filter_what" value="';	190	'<input type="text" size="32" name="filter_what" value="';
191	if (isset($filters[$theid]['what'])) {	191	if (isset($filters[$theid]['what'])) {
192	echo $filters[$theid]['what'];	192	echo htmlspecialchars($filters[$theid]['what']);
193	}	193	}
194	echo '" />'.	194	echo '" />'.
195	'</td>'.	195	'</td>'.

Lines 199-205 Link Here

(-)squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php (-1 / +1 lines)
199	echo html_tag( 'p', '', 'center' ) .	199	echo html_tag( 'p', '', 'center' ) .
200	'[<a href="spamoptions.php?action=spam">' . _("Edit") . '</a>]' .	200	'[<a href="spamoptions.php?action=spam">' . _("Edit") . '</a>]' .
201	' - [<a href="../../src/options.php">' . _("Done") . '</a>]</center><br /><br />';	201	' - [<a href="../../src/options.php">' . _("Done") . '</a>]</center><br /><br />';
202	printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.imap_utf7_decode_local($filters_spam_folder).'</b>':'[<i>'._("not set yet").'</i>]' ) );	202	printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'</b>':'[<i>'._("not set yet").'</i>]' ) );
203	echo '<br />';	203	echo '<br />';
204	printf( _("Spam scan is limited to %s."), '<b>' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '</b>' );	204	printf( _("Spam scan is limited to %s."), '<b>' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '</b>' );
205	echo '</p>'.	205	echo '</p>'.

Lines 25-38 Link Here

(-)squirrelmail-1.4.4.orig/plugins/listcommands/mailout.php (-8 / +12 lines)
25	sqgetGlobalVar('body', $body, SQ_GET);	25	sqgetGlobalVar('body', $body, SQ_GET);
26	sqgetGlobalVar('action', $action, SQ_GET);	26	sqgetGlobalVar('action', $action, SQ_GET);
27	echo html_tag('p', '', 'left' ) .
28	html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
29	html_tag( 'tr',
30	html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] )
31	) .
32	html_tag( 'tr' ) .
33	html_tag( 'td', '', 'left' );
34
35	switch ( $action ) {	27	switch ( $action ) {
36	case 'help':	28	case 'help':
37	$out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below.");	29	$out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below.");
Lines 42-48 Link Here
42	break;	34	break;
43	case 'unsubscribe':	35	case 'unsubscribe':
44	$out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below.");	36	$out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below.");
		37	default:
		38	error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)), $color);
		39	exit;
45	}	40	}
		41
		42	echo html_tag('p', '', 'left' ) .
		43	html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
		44	html_tag( 'tr',
		45	html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] )
		46	) .
		47	html_tag( 'tr' ) .
		48	html_tag( 'td', '', 'left' );
		49
46	printf( $out_string, htmlspecialchars($send_to) );	50	printf( $out_string, htmlspecialchars($send_to) );

Lines 22-27 Link Here

(-)squirrelmail-1.4.4.orig/plugins/newmail/newmail.php (+1 lines)
22	require_once(SM_PATH . 'functions/page_header.php');	22	require_once(SM_PATH . 'functions/page_header.php');
23	sqGetGlobalVar('numnew', $numnew, SQ_GET);	23	sqGetGlobalVar('numnew', $numnew, SQ_GET);
		24	$numnew = (int)$numnew;
24	displayHtmlHeader( _("New Mail"), '', FALSE );	25	displayHtmlHeader( _("New Mail"), '', FALSE );

Lines 75-80 Link Here

(-)squirrelmail-1.4.4.orig/plugins/spamcop/setup.php (+3 lines)
75	sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM);	75	sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM);
76	sqgetGlobalVar('mailbox', $mailbox, SQ_FORM);	76	sqgetGlobalVar('mailbox', $mailbox, SQ_FORM);
77	sqgetGlobalVar('startMessage', $startMessage, SQ_FORM);	77	sqgetGlobalVar('startMessage', $startMessage, SQ_FORM);
		78	if ( sqgetGlobalVar('startMessage', $startMessage, SQ_FORM) ) {
		79	$startMessage = (int)$startMessage;
		80	}
78	/* END GLOBALS */	81	/* END GLOBALS */
79	// catch unset passed_ent_id	82	// catch unset passed_ent_id

Lines 69-79 Link Here

(-)squirrelmail-1.4.4.orig/plugins/squirrelspell/modules/lang_change.mod (-2 / +2 lines)
69	$lang_array = explode( ',', $lang_string );	69	$lang_array = explode( ',', $lang_string );
70	$dsp_string = '';	70	$dsp_string = '';
71	foreach( $lang_array as $a) {	71	foreach( $lang_array as $a) {
72	$dsp_string .= _(trim($a)) . ', ';	72	$dsp_string .= _(htmlspecialchars(trim($a))) . ', ';
73	}	73	}
74	$dsp_string = substr( $dsp_string, 0, -2 );	74	$dsp_string = substr( $dsp_string, 0, -2 );
75	$msg = '<p>'	75	$msg = '<p>'
76	. sprintf(_("Settings adjusted to: %s with %s as default dictionary."), '<strong>'.$dsp_string.'</strong>', '<strong>'._($lang_default).'</strong>')	76	. sprintf(_("Settings adjusted to: %s with %s as default dictionary."), '<strong>'.$dsp_string.'</strong>', '<strong>'._(htmlspecialchars($lang_default)).'</strong>')
77	. '</p>';	77	. '</p>';
78	} else {	78	} else {
79	/**	79	/**




                                    html_tag( 'tr',
                                        html_tag( 'td',
                                            "\n". '<strong><font color="' . $color[2] .
                                            '">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '</font></strong>' ."\n",
                                            'center' )
                                        ),
                                    'center', '', 'width="100%"' );

            html_tag( 'tr',
                html_tag( 'td',
                    "\n". '<br /><strong><font color="' . $color[2] .
                    '">' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '</font></strong>' ."\n",
                    'center' )
                ),
            'center', '', 'width="100%"' );

    /* Get and sort address list */
    $alist = $abook->list_addr();
    if(!is_array($alist)) {
        htmlspecialchars($abook_error);
        plain_error_message($abook->error, $color);
        exit;
    }

Lines 76-81 Link Here

(-)squirrelmail-1.4.4.orig/src/compose.php (+5 lines)
76	sqgetGlobalVar('saved_draft',$saved_draft);	76	sqgetGlobalVar('saved_draft',$saved_draft);
77	sqgetGlobalVar('delete_draft',$delete_draft);	77	sqgetGlobalVar('delete_draft',$delete_draft);
78	sqgetGlobalVar('startMessage',$startMessage);	78	sqgetGlobalVar('startMessage',$startMessage);
		79	if ( sqgetGlobalVar('startMessage',$startMessage) ) {
		80	$startMessage = (int)$startMessage;
		81	} else {
		82	$startMessage = 1;
		83	}
79	/** POST VARS */	84	/** POST VARS */
80	sqgetGlobalVar('sigappend', $sigappend, SQ_POST);	85	sqgetGlobalVar('sigappend', $sigappend, SQ_POST);

Lines 33-39 Link Here

(-)squirrelmail-1.4.4.orig/src/printer_friendly_bottom.php (-1 / +2 lines)
33	sqgetGlobalVar('passed_id', $passed_id, SQ_GET);	33	sqgetGlobalVar('passed_id', $passed_id, SQ_GET);
34	sqgetGlobalVar('mailbox', $mailbox, SQ_GET);	34	sqgetGlobalVar('mailbox', $mailbox, SQ_GET);
35	if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) ) {	35	if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) \|\|
		36	! preg_match('/^\d+(\.\d+)*$/', $passed_ent_id) ) {
36	$passed_ent_id = '';	37	$passed_ent_id = '';
37	}	38	}
38	/* end globals */	39	/* end globals */

Lines 165-171 Link Here

(-)squirrelmail-1.4.4.orig/src/right_main.php (-1 / +1 lines)
165	do_hook('right_main_after_header');	165	do_hook('right_main_after_header');
166	if (isset($note)) {	166	if (isset($note)) {
167	echo html_tag( 'div', '<b>' . $note .'</b>', 'center' ) . "<br />\n";	167	echo html_tag( 'div', '<b>' . htmlspecialchars($note) .'</b>', 'center' ) . "<br />\n";
168	}	168	}
169	if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {	169	if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {

Return to bug 95937

Lines 108-114 Link Here

(-)squirrelmail-1.4.4.orig/functions/addressbook.php (-3 / +3 lines)
108	if (!$r && $showerr) {	108	if (!$r && $showerr) {
109	printf( ' ' . _("Error initializing LDAP server %s:") .	109	printf( ' ' . _("Error initializing LDAP server %s:") .
110	"<br />\n", $param['host']);	110	"<br />\n", $param['host']);
111	echo ' ' . $abook->error;	111	echo ' ' . htmlspecialchars($abook->error);
112	exit;	112	exit;
113	}	113	}
114	}	114	}
Lines 239-245 Link Here
239	if (is_array($res)) {	239	if (is_array($res)) {
240	$ret = array_merge($ret, $res);	240	$ret = array_merge($ret, $res);
241	} else {	241	} else {
242	$this->error .= "<br />\n" . $backend->error;	242	$this->error .= "\n" . $backend->error;
243	$failed++;	243	$failed++;
244	}	244	}
245	}	245	}
Lines 255-261 Link Here
255	$ret = $this->backends[$bnum]->search($expression);	255	$ret = $this->backends[$bnum]->search($expression);
256	if (!is_array($ret)) {	256	if (!is_array($ret)) {
257	$this->error .= "<br />\n" . $this->backends[$bnum]->error;	257	$this->error .= "\n" . $this->backends[$bnum]->error;
258	$ret = FALSE;	258	$ret = FALSE;
259	}	259	}
260	}	260	}

Lines 1388-1399 Link Here

(-)squirrelmail-1.4.4.orig/functions/mime.php (-16 / +104 lines)
1388	}	1388	}
1389	}	1389	}
1390	}	1390	}
		1391
		1392	/**
		1393	* Replace empty src tags with the blank image. src is only used
		1394	* for frames, images, and image inputs. Doing a replace should
		1395	* not affect them working as should be, however it will stop
		1396	* IE from being kicked off when src for img tags are not set
		1397	*/
		1398	if (($attname == 'src') && ($attvalue == '""')) {
		1399	$attary{$attname} = '"' . SM_PATH . 'images/blank.png"';
		1400	}
		1401
1391	/**	1402	/**
1392	* Turn cid: urls into http-friendly ones.	1403	* Turn cid: urls into http-friendly ones.
1393	*/	1404	*/
1394	if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){	1405	if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){
1395	$attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);	1406	$attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
1396	}	1407	}
		1408
		1409	/**
		1410	* "Hack" fix for Outlook using propriatary outbind:// protocol in img tags.
		1411	* One day MS might actually make it match something useful, for now, falling
		1412	* back to using cid2http, so we can grab the blank.png.
		1413	*/
		1414	if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) {
		1415	$attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
		1416	}
		1417
1397	}	1418	}
1398	/**	1419	/**
1399	* See if we need to append any attributes to this tag.	1420	* See if we need to append any attributes to this tag.
Lines 1408-1414 Link Here
1408	/**	1429	/**
1409	* This function edits the style definition to make them friendly and	1430	* This function edits the style definition to make them friendly and
1410	* usable in squirrelmail.	1431	* usable in SquirrelMail.
1411	*	1432	*
1412	* @param $message the message object	1433	* @param $message the message object
1413	* @param $id the message id	1434	* @param $id the message id
Lines 1436-1462 Link Here
1436	/**	1457	/**
1437	* Fix url('blah') declarations.	1458	* Fix url('blah') declarations.
1438	*/	1459	*/
1439	$content = preg_replace("\|url\s\(\s([\'\"])\s\S+script\s:.?([\'\"])\s\)\|si",	1460	// $content = preg_replace("\|url\s\(\s([\'\"])\s\S+script\s:.?([\'\"])\s\)\|si",
1440	"url(\\1$secremoveimg\\2)", $content);	1461	// "url(\\1$secremoveimg\\2)", $content);
		1462	// remove NUL
		1463	$content = str_replace("\0", "", $content);
		1464	// NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
		1465	while (preg_match("/url\s\(\s[\'\"]?([^:]+):(.)?[\'\"]?\s\)/si", $content, $matches)) {
		1466	$sProto = strtolower($matches[1]);
		1467	switch ($sProto) {
1441	/**	1468	/**
1442	* Fix url('https://.) declarations but only if $view_unsafe_images	1469	* Fix url('https://.) declarations but only if $view_unsafe_images
1443	* is false.	1470	* is false.
1444	*/	1471	*/
		1472	case 'https':
		1473	case 'http':
1445	if (!$view_unsafe_images){	1474	if (!$view_unsafe_images){
1446	$content = preg_replace("\|url\s\(\s([\'\"])\shttps:.?([\'\"])\s\)\|si",	1475	$sExpr = "/url\s\(\s([\'\"])\s$sProto:.?([\'\"])\s\)/si";
1447	"url(\\1$secremoveimg\\2)", $content);	1476	$content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content);
1448	}	1477	}
1449		1478	break;
1450	/**	1479	/**
1451	* Fix urls that refer to cid:	1480	* Fix urls that refer to cid:
1452	*/	1481	*/
1453	while (preg_match("\|url\s\(\s([\'\"]\scid:.?[\'\"])\s*\)\|si",	1482	case 'cid':
1454	$content, $matches)){	1483	$cidurl = 'cid:'. $matches[2];
1455	$cidurl = $matches{1};
1456	$httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);	1484	$httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
1457	$content = preg_replace("\|url\s\(\s$cidurl\s*\)\|si",	1485	$content = preg_replace("\|url\s\(\s$cidurl\s*\)\|si",
1458	"url($httpurl)", $content);	1486	"u\0r\0l($httpurl)", $content);
		1487	break;
		1488	default:
		1489	/**
		1490	* replace url with protocol other then the white list
		1491	* http,https and cid by an empty string.
		1492	*/
		1493	$content = preg_replace("/url\s\(\s[\'\"]?([^:]+):(.)?[\'\"]?\s\)/si",
		1494	"", $content);
		1495	break;
1459	}	1496	}
		1497	break;
		1498	}
		1499	// remove NUL
		1500	$content = str_replace("\0", "", $content);
		1501
		1502	/**
		1503	* Remove any backslashes, entities, and extraneous whitespace.
		1504	*/
		1505	$contentTemp = $content;
		1506	sq_defang($contentTemp);
		1507	sq_unspace($contentTemp);
1460	/**	1508	/**
1461	* Fix stupid css declarations which lead to vulnerabilities	1509	* Fix stupid css declarations which lead to vulnerabilities
Lines 1467-1476 Link Here
1467	'/binding/i',	1515	'/binding/i',
1468	'/include-source/i');	1516	'/include-source/i');
1469	$replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');	1517	$replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');
1470	$content = preg_replace($match, $replace, $content);	1518	$contentNew = preg_replace($match, $replace, $contentTemp);
		1519	if ($contentNew !== $contentTemp) {
		1520	// insecure css declarations are used. From now on we don't care
		1521	// anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash
		1522	$content = $contentNew;
		1523	}
1471	return array($content, $newpos);	1524	return array($content, $newpos);
1472	}	1525	}
		1526
1473	/**	1527	/**
1474	* This function converts cid: url's into the ones that can be viewed in	1528	* This function converts cid: url's into the ones that can be viewed in
1475	* the browser.	1529	* the browser.
Lines 1492-1506 Link Here
1492	$quotchar = '';	1546	$quotchar = '';
1493	}	1547	}
1494	$cidurl = substr(trim($cidurl), 4);	1548	$cidurl = substr(trim($cidurl), 4);
		1549
		1550	$match_str = '/\{.*?\}\//';
		1551	$str_rep = '';
		1552	$cidurl = preg_replace($match_str, $str_rep, $cidurl);
		1553
1495	$linkurl = find_ent_id($cidurl, $message);	1554	$linkurl = find_ent_id($cidurl, $message);
1496	/* in case of non-save cid links $httpurl should be replaced by a sort of	1555	/* in case of non-save cid links $httpurl should be replaced by a sort of
1497	unsave link image */	1556	unsave link image */
1498	$httpurl = '';	1557	$httpurl = '';
1499	if ($linkurl) {	1558
		1559	/**
		1560	* This is part of a fix for Outlook Express 6.x generating
		1561	* cid URLs without creating content-id headers. These images are
		1562	* not part of the multipart/related html mail. The html contains
		1563	* <img src="cid:{some_id}/image_filename.ext"> references to
		1564	* attached images with as goal to render them inline although
		1565	* the attachment disposition property is not inline.
		1566	*/
		1567
		1568	if (empty($linkurl)) {
		1569	if (preg_match('/{.*}\//', $cidurl)) {
		1570	$cidurl = preg_replace('/{.*}\//','', $cidurl);
		1571	if (!empty($cidurl)) {
		1572	$linkurl = find_ent_id($cidurl, $message);
		1573	}
		1574	}
		1575	}
		1576
		1577	if (!empty($linkurl)) {
1500	$httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&' .	1578	$httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&' .
1501	"passed_id=$id&mailbox=" . urlencode($mailbox) .	1579	"passed_id=$id&mailbox=" . urlencode($mailbox) .
1502	'&ent_id=' . $linkurl . $quotchar;	1580	'&ent_id=' . $linkurl . $quotchar;
		1581	} else {
		1582	/**
		1583	* If we couldn't generate a proper img url, drop in a blank image
		1584	* instead of sending back empty, otherwise it causes unusual behaviour
		1585	*/
		1586	$httpurl = $quotchar . SM_PATH . 'images/blank.png';
1503	}	1587	}
		1588
1504	return $httpurl;	1589	return $httpurl;
1505	}	1590	}
Lines 1526-1533 Link Here
1526	$attvalue = str_replace($quotchar, "", $attvalue);	1611	$attvalue = str_replace($quotchar, "", $attvalue);
1527	switch ($attname){	1612	switch ($attname){
1528	case 'background':	1613	case 'background':
1529	$attvalue = sq_cid2http($message, $id,	1614	$attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
1530	$attvalue, $mailbox);
1531	$styledef .= "background-image: url('$attvalue'); ";	1615	$styledef .= "background-image: url('$attvalue'); ";
1532	break;	1616	break;
1533	case 'bgcolor':	1617	case 'bgcolor':
Lines 1754-1759 Link Here
1754	"embed",	1838	"embed",
1755	"title",	1839	"title",
1756	"frameset",	1840	"frameset",
		1841	"xmp",
1757	"xml"	1842	"xml"
1758	);	1843	);
Lines 1761-1767 Link Here
1761	"img",	1846	"img",
1762	"br",	1847	"br",
1763	"hr",	1848	"hr",
1764	"input"	1849	"input",
		1850	"outbind"
1765	);	1851	);
1766	$force_tag_closing = true;	1852	$force_tag_closing = true;
Lines 1816-1821 Link Here
1816	"/binding/i",	1902	"/binding/i",
1817	"/behaviou*r/i",	1903	"/behaviou*r/i",
1818	"/include-source/i",	1904	"/include-source/i",
		1905	"/position\s:\sabsolute/i",
1819	"/url\s\(\s([\'\"])\s\S+script\s:.([\'\"])\s\)/si",	1906	"/url\s\(\s([\'\"])\s\S+script\s:.([\'\"])\s\)/si",
1820	"/url\s\(\s([\'\"])\smocha\s:.([\'\"])\s\)/si",	1907	"/url\s\(\s([\'\"])\smocha\s:.([\'\"])\s\)/si",
1821	"/url\s\(\s([\'\"])\sabout\s:.([\'\"])\s\)/si",	1908	"/url\s\(\s([\'\"])\sabout\s:.([\'\"])\s\)/si",
Lines 1826-1831 Link Here
1826	"idiocy",	1913	"idiocy",
1827	"idiocy",	1914	"idiocy",
1828	"idiocy",	1915	"idiocy",
		1916	"",
1829	"url(\\1#\\1)",	1917	"url(\\1#\\1)",
1830	"url(\\1#\\1)",	1918	"url(\\1#\\1)",
1831	"url(\\1#\\1)",	1919	"url(\\1#\\1)",
Lines 1856-1862 Link Here
1856	$add_attr_to_tag = Array(	1944	$add_attr_to_tag = Array(
1857	"/^a$/i" =>	1945	"/^a$/i" =>
1858	Array('target'=>'"_new"',	1946	Array('target'=>'"_blank"',
1859	'title'=>'"'._("This external link will open in a new window").'"'	1947	'title'=>'"'._("This external link will open in a new window").'"'
1860	)	1948	)
1861	);	1949	);

Lines 29-44 Link Here

(-)squirrelmail-1.4.4.orig/plugins/calendar/calendar.php (-4 / +4 lines)
29	/* get globals */	29	/* get globals */
30	if (isset($_GET['month'])) {	30	if (isset($_GET['month']) && is_numeric($_GET['month'])) {
31	$month = $_GET['month'];	31	$month = $_GET['month'];
32	}	32	}
33	if (isset($_GET['year'])) {	33	if (isset($_GET['year']) && is_numeric($_GET['year'])) {
34	$year = $_GET['year'];	34	$year = $_GET['year'];
35	}	35	}
36	if (isset($_POST['year'])) {	36	if (isset($_POST['year']) && is_numeric($_POST['year'])) {
37	$year = $_POST['year'];	37	$year = $_POST['year'];
38	}	38	}
39	if (isset($_POST['month'])) {	39	if (isset($_POST['month']) && is_numeric($_POST['month'])) {
40	$month = $_POST['month'];	40	$month = $_POST['month'];
41	}	41	}
42	/* got 'em */	42	/* got 'em */

Lines 29-50 Link Here

(-)squirrelmail-1.4.4.orig/plugins/calendar/day.php (-6 / +6 lines)
29	require_once(SM_PATH . 'functions/html.php');	29	require_once(SM_PATH . 'functions/html.php');
30	/* get globals */	30	/* get globals */
31	if (isset($_GET['year'])) {	31	if (isset($_GET['year']) && is_numeric($_GET['year'])) {
32	$year = $_GET['year'];	32	$year = $_GET['year'];
33	}	33	}
34	elseif (isset($_POST['year'])) {	34	elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
35	$year = $_POST['year'];	35	$year = $_POST['year'];
36	}	36	}
37	if (isset($_GET['month'])) {	37	if (isset($_GET['month']) && is_numeric($_GET['month'])) {
38	$month = $_GET['month'];	38	$month = $_GET['month'];
39	}	39	}
40	elseif (isset($_POST['month'])) {	40	elseif (isset($_POST['month']) && is_numeric($_POST['month'])) {
41	$month = $_POST['month'];	41	$month = $_POST['month'];
42	}	42	}
43	if (isset($_GET['day'])) {	43	if (isset($_GET['day']) && is_numeric($_GET['day'])) {
44	$day = $_GET['day'];	44	$day = $_GET['day'];
45	}	45	}
46	elseif (isset($_POST['day'])) {	46	elseif (isset($_POST['day']) && is_numeric($_POST['day'])) {
47	$day = $_POST['day'];	47	$day = $_POST['day'];
48	}	48	}

Lines 33-54 Link Here

(-)squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php (-17 / +17 lines)
33	if (isset($_POST['updated'])) {	33	if (isset($_POST['updated'])) {
34	$updated = $_POST['updated'];	34	$updated = $_POST['updated'];
35	}	35	}
36	if (isset($_POST['event_year'])) {	36	if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) {
37	$event_year = $_POST['event_year'];	37	$event_year = $_POST['event_year'];
38	}	38	}
39	if (isset($_POST['event_month'])) {	39	if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) {
40	$event_month = $_POST['event_month'];	40	$event_month = $_POST['event_month'];
41	}	41	}
42	if (isset($_POST['event_day'])) {	42	if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) {
43	$event_day = $_POST['event_day'];	43	$event_day = $_POST['event_day'];
44	}	44	}
45	if (isset($_POST['event_hour'])) {	45	if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
46	$event_hour = $_POST['event_hour'];	46	$event_hour = $_POST['event_hour'];
47	}	47	}
48	if (isset($_POST['event_minute'])) {	48	if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
49	$event_minute = $_POST['event_minute'];	49	$event_minute = $_POST['event_minute'];
50	}	50	}
51	if (isset($_POST['event_length'])) {	51	if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
52	$event_length = $_POST['event_length'];	52	$event_length = $_POST['event_length'];
53	}	53	}
54	if (isset($_POST['event_title'])) {	54	if (isset($_POST['event_title'])) {
Lines 60-99 Link Here
60	if (isset($_POST['send'])) {	60	if (isset($_POST['send'])) {
61	$send = $_POST['send'];	61	$send = $_POST['send'];
62	}	62	}
63	if (isset($_POST['event_priority'])) {	63	if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
64	$event_priority = $_POST['event_priority'];	64	$event_priority = $_POST['event_priority'];
65	}	65	}
66	if (isset($_POST['confirmed'])) {	66	if (isset($_POST['confirmed'])) {
67	$confirmed = $_POST['confirmed'];	67	$confirmed = $_POST['confirmed'];
68	}	68	}
69	if (isset($_POST['year'])) {	69	if (isset($_POST['year']) && is_numeric($_POST['year'])) {
70	$year = $_POST['year'];	70	$year = $_POST['year'];
71	}	71	}
72	elseif (isset($_GET['year'])) {	72	elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
73	$year = $_GET['year'];	73	$year = $_GET['year'];
74	}	74	}
75	if (isset($_POST['month'])) {	75	if (isset($_POST['month']) && is_numeric($_POST['month'])) {
76	$month = $_POST['month'];	76	$month = $_POST['month'];
77	}	77	}
78	elseif (isset($_GET['month'])) {	78	elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
79	$month = $_GET['month'];	79	$month = $_GET['month'];
80	}	80	}
81	if (isset($_POST['day'])) {	81	if (isset($_POST['day']) && is_numeric($_POST['day'])) {
82	$day = $_POST['day'];	82	$day = $_POST['day'];
83	}	83	}
84	elseif (isset($_GET['day'])) {	84	elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
85	$day = $_GET['day'];	85	$day = $_GET['day'];
86	}	86	}
87	if (isset($_POST['hour'])) {	87	if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
88	$hour = $_POST['hour'];	88	$hour = $_POST['hour'];
89	}	89	}
90	elseif (isset($_GET['hour'])) {	90	elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
91	$hour = $_GET['hour'];	91	$hour = $_GET['hour'];
92	}	92	}
93	if (isset($_POST['minute'])) {	93	if (isset($_POST['minute']) && is_numeric($_POST['minute'])) {
94	$minute = $_POST['minute'];	94	$minute = $_POST['minute'];
95	}	95	}
96	elseif (isset($_GET['minute'])) {	96	elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) {
97	$minute = $_GET['minute'];	97	$minute = $_GET['minute'];
98	}	98	}
99	/* got 'em */	99	/* got 'em */

Lines 279-285 Link Here

(-)squirrelmail-1.4.4.orig/src/addressbook.php (-2 / +3 lines)
279	html_tag( 'tr',	279	html_tag( 'tr',
280	html_tag( 'td',	280	html_tag( 'td',
281	"\n". '<strong><font color="' . $color[2] .	281	"\n". '<strong><font color="' . $color[2] .
282	'">' . _("ERROR") . ': ' . $abook->error . '</font></strong>' ."\n",	282	'">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '</font></strong>' ."\n",
283	'center' )	283	'center' )
284	),	284	),
285	'center', '', 'width="100%"' );	285	'center', '', 'width="100%"' );
Lines 331-337 Link Here
331	html_tag( 'tr',	331	html_tag( 'tr',
332	html_tag( 'td',	332	html_tag( 'td',
333	"\n". '<br /><strong><font color="' . $color[2] .	333	"\n". '<br /><strong><font color="' . $color[2] .
334	'">' . _("ERROR") . ': ' . $formerror . '</font></strong>' ."\n",	334	'">' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '</font></strong>' ."\n",
335	'center' )	335	'center' )
336	),	336	),
337	'center', '', 'width="100%"' );	337	'center', '', 'width="100%"' );
Lines 343-348 Link Here
343	/* Get and sort address list */	343	/* Get and sort address list */
344	$alist = $abook->list_addr();	344	$alist = $abook->list_addr();
345	if(!is_array($alist)) {	345	if(!is_array($alist)) {
		346	htmlspecialchars($abook_error);
346	plain_error_message($abook->error, $color);	347	plain_error_message($abook->error, $color);
347	exit;	348	exit;
348	}	349	}