Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 61245 Details for
Bug 95937
mail-client/squirrelmail: XSS issues (CAN-2005-1769)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
sqm-144-xss.patch
sqm-144-xss.patch (text/plain), 25.02 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2005-06-14 21:11:54 UTC
(
hide
)
Description:
sqm-144-xss.patch
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2005-06-14 21:11:54 UTC
Size:
25.02 KB
patch
obsolete
>diff -uwr squirrelmail-1.4.4.orig/functions/addressbook.php squirrelmail-1.4.4/functions/addressbook.php >--- squirrelmail-1.4.4.orig/functions/addressbook.php Mon Dec 27 16:03:42 2004 >+++ squirrelmail-1.4.4/functions/addressbook.php Mon Jun 13 21:59:31 2005 >@@ -108,7 +108,7 @@ > if (!$r && $showerr) { > printf( ' ' . _("Error initializing LDAP server %s:") . > "<br />\n", $param['host']); >- echo ' ' . $abook->error; >+ echo ' ' . htmlspecialchars($abook->error); > exit; > } > } >@@ -239,7 +239,7 @@ > if (is_array($res)) { > $ret = array_merge($ret, $res); > } else { >- $this->error .= "<br />\n" . $backend->error; >+ $this->error .= "\n" . $backend->error; > $failed++; > } > } >@@ -255,7 +255,7 @@ > > $ret = $this->backends[$bnum]->search($expression); > if (!is_array($ret)) { >- $this->error .= "<br />\n" . $this->backends[$bnum]->error; >+ $this->error .= "\n" . $this->backends[$bnum]->error; > $ret = FALSE; > } > } >diff -uwr squirrelmail-1.4.4.orig/functions/mime.php squirrelmail-1.4.4/functions/mime.php >--- squirrelmail-1.4.4.orig/functions/mime.php Mon Jan 10 19:52:48 2005 >+++ squirrelmail-1.4.4/functions/mime.php Mon Jun 13 21:59:31 2005 >@@ -1388,12 +1388,33 @@ > } > } > } >+ >+ /** >+ * Replace empty src tags with the blank image. src is only used >+ * for frames, images, and image inputs. Doing a replace should >+ * not affect them working as should be, however it will stop >+ * IE from being kicked off when src for img tags are not set >+ */ >+ if (($attname == 'src') && ($attvalue == '""')) { >+ $attary{$attname} = '"' . SM_PATH . 'images/blank.png"'; >+ } >+ > /** > * Turn cid: urls into http-friendly ones. > */ > if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){ > $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox); > } >+ >+ /** >+ * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags. >+ * One day MS might actually make it match something useful, for now, falling >+ * back to using cid2http, so we can grab the blank.png. >+ */ >+ if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) { >+ $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox); >+ } >+ > } > /** > * See if we need to append any attributes to this tag. >@@ -1436,27 +1457,54 @@ > /** > * Fix url('blah') declarations. > */ >- $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si", >- "url(\\1$secremoveimg\\2)", $content); >+ // $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si", >+ // "url(\\1$secremoveimg\\2)", $content); >+ // remove NUL >+ $content = str_replace("\0", "", $content); >+ // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop. >+ while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) { >+ $sProto = strtolower($matches[1]); >+ switch ($sProto) { > /** > * Fix url('https*://.*) declarations but only if $view_unsafe_images > * is false. > */ >+ case 'https': >+ case 'http': > if (!$view_unsafe_images){ >- $content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si", >- "url(\\1$secremoveimg\\2)", $content); >+ $sExpr = "/url\s*\(\s*([\'\"])\s*$sProto*:.*?([\'\"])\s*\)/si"; >+ $content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content); > } >- >+ break; > /** > * Fix urls that refer to cid: > */ >- while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si", >- $content, $matches)){ >- $cidurl = $matches{1}; >+ case 'cid': >+ $cidurl = 'cid:'. $matches[2]; > $httpurl = sq_cid2http($message, $id, $cidurl, $mailbox); > $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si", >- "url($httpurl)", $content); >+ "u\0r\0l($httpurl)", $content); >+ break; >+ default: >+ /** >+ * replace url with protocol other then the white list >+ * http,https and cid by an empty string. >+ */ >+ $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", >+ "", $content); >+ break; > } >+ break; >+ } >+ // remove NUL >+ $content = str_replace("\0", "", $content); >+ >+ /** >+ * Remove any backslashes, entities, and extraneous whitespace. >+ */ >+ $contentTemp = $content; >+ sq_defang($contentTemp); >+ sq_unspace($contentTemp); > > /** > * Fix stupid css declarations which lead to vulnerabilities >@@ -1467,10 +1515,16 @@ > '/binding/i', > '/include-source/i'); > $replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy'); >- $content = preg_replace($match, $replace, $content); >+ $contentNew = preg_replace($match, $replace, $contentTemp); >+ if ($contentNew !== $contentTemp) { >+ // insecure css declarations are used. From now on we don't care >+ // anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash >+ $content = $contentNew; >+ } > return array($content, $newpos); > } > >+ > /** > * This function converts cid: url's into the ones that can be viewed in > * the browser. >@@ -1492,15 +1546,46 @@ > $quotchar = ''; > } > $cidurl = substr(trim($cidurl), 4); >+ >+ $match_str = '/\{.*?\}\//'; >+ $str_rep = ''; >+ $cidurl = preg_replace($match_str, $str_rep, $cidurl); >+ > $linkurl = find_ent_id($cidurl, $message); > /* in case of non-save cid links $httpurl should be replaced by a sort of > unsave link image */ > $httpurl = ''; >- if ($linkurl) { >+ >+ /** >+ * This is part of a fix for Outlook Express 6.x generating >+ * cid URLs without creating content-id headers. These images are >+ * not part of the multipart/related html mail. The html contains >+ * <img src="cid:{some_id}/image_filename.ext"> references to >+ * attached images with as goal to render them inline although >+ * the attachment disposition property is not inline. >+ */ >+ >+ if (empty($linkurl)) { >+ if (preg_match('/{.*}\//', $cidurl)) { >+ $cidurl = preg_replace('/{.*}\//','', $cidurl); >+ if (!empty($cidurl)) { >+ $linkurl = find_ent_id($cidurl, $message); >+ } >+ } >+ } >+ >+ if (!empty($linkurl)) { > $httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&' . > "passed_id=$id&mailbox=" . urlencode($mailbox) . > '&ent_id=' . $linkurl . $quotchar; >+ } else { >+ /** >+ * If we couldn't generate a proper img url, drop in a blank image >+ * instead of sending back empty, otherwise it causes unusual behaviour >+ */ >+ $httpurl = $quotchar . SM_PATH . 'images/blank.png'; > } >+ > return $httpurl; > } > >@@ -1526,8 +1611,7 @@ > $attvalue = str_replace($quotchar, "", $attvalue); > switch ($attname){ > case 'background': >- $attvalue = sq_cid2http($message, $id, >- $attvalue, $mailbox); >+ $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox); > $styledef .= "background-image: url('$attvalue'); "; > break; > case 'bgcolor': >@@ -1754,6 +1838,7 @@ > "embed", > "title", > "frameset", >+ "xmp", > "xml" > ); > >@@ -1761,7 +1846,8 @@ > "img", > "br", > "hr", >- "input" >+ "input", >+ "outbind" > ); > > $force_tag_closing = true; >@@ -1816,6 +1902,7 @@ > "/binding/i", > "/behaviou*r/i", > "/include-source/i", >+ "/position\s*:\s*absolute/i", > "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si", > "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si", > "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si", >@@ -1826,6 +1913,7 @@ > "idiocy", > "idiocy", > "idiocy", >+ "", > "url(\\1#\\1)", > "url(\\1#\\1)", > "url(\\1#\\1)", >diff -uwr squirrelmail-1.4.4.orig/functions/page_header.php squirrelmail-1.4.4/functions/page_header.php >--- squirrelmail-1.4.4.orig/functions/page_header.php Mon Dec 27 22:08:58 2004 >+++ squirrelmail-1.4.4/functions/page_header.php Mon Jun 13 21:59:31 2005 >@@ -275,6 +275,7 @@ > : html_tag( 'td', '', 'left' ) ) > . "\n"; > $urlMailbox = urlencode($mailbox); >+ $startMessage = (int)$startMessage; > echo makeComposeLink('src/compose.php?mailbox='.$urlMailbox.'&startMessage='.$startMessage); > echo " \n"; > displayInternalLink ('src/addressbook.php', _("Addresses")); >diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/calendar.php squirrelmail-1.4.4/plugins/calendar/calendar.php >--- squirrelmail-1.4.4.orig/plugins/calendar/calendar.php Mon Dec 27 16:03:49 2004 >+++ squirrelmail-1.4.4/plugins/calendar/calendar.php Mon Jun 13 21:59:31 2005 >@@ -29,16 +29,16 @@ > > /* get globals */ > >-if (isset($_GET['month'])) { >+if (isset($_GET['month']) && is_numeric($_GET['month'])) { > $month = $_GET['month']; > } >-if (isset($_GET['year'])) { >+if (isset($_GET['year']) && is_numeric($_GET['year'])) { > $year = $_GET['year']; > } >-if (isset($_POST['year'])) { >+if (isset($_POST['year']) && is_numeric($_POST['year'])) { > $year = $_POST['year']; > } >-if (isset($_POST['month'])) { >+if (isset($_POST['month']) && is_numeric($_POST['month'])) { > $month = $_POST['month']; > } > /* got 'em */ >diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/day.php squirrelmail-1.4.4/plugins/calendar/day.php >--- squirrelmail-1.4.4.orig/plugins/calendar/day.php Mon Dec 27 16:03:49 2004 >+++ squirrelmail-1.4.4/plugins/calendar/day.php Mon Jun 13 21:59:31 2005 >@@ -29,22 +29,22 @@ > require_once(SM_PATH . 'functions/html.php'); > > /* get globals */ >-if (isset($_GET['year'])) { >+if (isset($_GET['year']) && is_numeric($_GET['year'])) { > $year = $_GET['year']; > } >-elseif (isset($_POST['year'])) { >+elseif (isset($_POST['year']) && is_numeric($_POST['year'])) { > $year = $_POST['year']; > } >-if (isset($_GET['month'])) { >+if (isset($_GET['month']) && is_numeric($_GET['month'])) { > $month = $_GET['month']; > } >-elseif (isset($_POST['month'])) { >+elseif (isset($_POST['month']) && is_numeric($_POST['month'])) { > $month = $_POST['month']; > } >-if (isset($_GET['day'])) { >+if (isset($_GET['day']) && is_numeric($_GET['day'])) { > $day = $_GET['day']; > } >-elseif (isset($_POST['day'])) { >+elseif (isset($_POST['day']) && is_numeric($_POST['day'])) { > $day = $_POST['day']; > } > >diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/event_create.php squirrelmail-1.4.4/plugins/calendar/event_create.php >--- squirrelmail-1.4.4.orig/plugins/calendar/event_create.php Mon Dec 27 16:03:49 2004 >+++ squirrelmail-1.4.4/plugins/calendar/event_create.php Mon Jun 13 21:59:31 2005 >@@ -29,40 +29,40 @@ > > /* get globals */ > >-if (isset($_POST['year'])) { >+if (isset($_POST['year']) && is_numeric($_POST['year'])) { > $year = $_POST['year']; > } >-elseif (isset($_GET['year'])) { >+elseif (isset($_GET['year']) && is_numeric($_GET['year'])) { > $year = $_GET['year']; > } >-if (isset($_POST['month'])) { >+if (isset($_POST['month']) && is_numeric($_POST['month'])) { > $month = $_POST['month']; > } >-elseif (isset($_GET['month'])) { >+elseif (isset($_GET['month']) && is_numeric($_GET['month'])) { > $month = $_GET['month']; > } >-if (isset($_POST['day'])) { >+if (isset($_POST['day']) && is_numeric($_POST['day'])) { > $day = $_POST['day']; > } >-elseif (isset($_GET['day'])) { >+elseif (isset($_GET['day']) && is_numeric($_GET['day'])) { > $day = $_GET['day']; > } >-if (isset($_POST['hour'])) { >+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) { > $hour = $_POST['hour']; > } >-elseif (isset($_GET['hour'])) { >+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) { > $hour = $_GET['hour']; > } >-if (isset($_POST['event_hour'])) { >+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) { > $event_hour = $_POST['event_hour']; > } >-if (isset($_POST['event_minute'])) { >+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) { > $event_minute = $_POST['event_minute']; > } >-if (isset($_POST['event_length'])) { >+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) { > $event_length = $_POST['event_length']; > } >-if (isset($_POST['event_priority'])) { >+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) { > $event_priority = $_POST['event_priority']; > } > if (isset($_POST['event_title'])) { >diff -uwr squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php squirrelmail-1.4.4/plugins/calendar/event_edit.php >--- squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php Mon Dec 27 16:03:49 2004 >+++ squirrelmail-1.4.4/plugins/calendar/event_edit.php Mon Jun 13 21:59:31 2005 >@@ -33,22 +33,22 @@ > if (isset($_POST['updated'])) { > $updated = $_POST['updated']; > } >-if (isset($_POST['event_year'])) { >+if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) { > $event_year = $_POST['event_year']; > } >-if (isset($_POST['event_month'])) { >+if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) { > $event_month = $_POST['event_month']; > } >-if (isset($_POST['event_day'])) { >+if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) { > $event_day = $_POST['event_day']; > } >-if (isset($_POST['event_hour'])) { >+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) { > $event_hour = $_POST['event_hour']; > } >-if (isset($_POST['event_minute'])) { >+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) { > $event_minute = $_POST['event_minute']; > } >-if (isset($_POST['event_length'])) { >+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) { > $event_length = $_POST['event_length']; > } > if (isset($_POST['event_title'])) { >@@ -60,40 +60,40 @@ > if (isset($_POST['send'])) { > $send = $_POST['send']; > } >-if (isset($_POST['event_priority'])) { >+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) { > $event_priority = $_POST['event_priority']; > } > if (isset($_POST['confirmed'])) { > $confirmed = $_POST['confirmed']; > } >-if (isset($_POST['year'])) { >+if (isset($_POST['year']) && is_numeric($_POST['year'])) { > $year = $_POST['year']; > } >-elseif (isset($_GET['year'])) { >+elseif (isset($_GET['year']) && is_numeric($_GET['year'])) { > $year = $_GET['year']; > } >-if (isset($_POST['month'])) { >+if (isset($_POST['month']) && is_numeric($_POST['month'])) { > $month = $_POST['month']; > } >-elseif (isset($_GET['month'])) { >+elseif (isset($_GET['month']) && is_numeric($_GET['month'])) { > $month = $_GET['month']; > } >-if (isset($_POST['day'])) { >+if (isset($_POST['day']) && is_numeric($_POST['day'])) { > $day = $_POST['day']; > } >-elseif (isset($_GET['day'])) { >+elseif (isset($_GET['day']) && is_numeric($_GET['day'])) { > $day = $_GET['day']; > } >-if (isset($_POST['hour'])) { >+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) { > $hour = $_POST['hour']; > } >-elseif (isset($_GET['hour'])) { >+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) { > $hour = $_GET['hour']; > } >-if (isset($_POST['minute'])) { >+if (isset($_POST['minute']) && is_numeric($_POST['minute'])) { > $minute = $_POST['minute']; > } >-elseif (isset($_GET['minute'])) { >+elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) { > $minute = $_GET['minute']; > } > /* got 'em */ >diff -uwr squirrelmail-1.4.4.orig/plugins/filters/options.php squirrelmail-1.4.4/plugins/filters/options.php >--- squirrelmail-1.4.4.orig/plugins/filters/options.php Mon Dec 27 16:03:57 2004 >+++ squirrelmail-1.4.4/plugins/filters/options.php Mon Jun 13 21:59:31 2005 >@@ -189,7 +189,7 @@ > html_tag( 'td', '', 'left' ) . > '<input type="text" size="32" name="filter_what" value="'; > if (isset($filters[$theid]['what'])) { >- echo $filters[$theid]['what']; >+ echo htmlspecialchars($filters[$theid]['what']); > } > echo '" />'. > '</td>'. >diff -uwr squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php squirrelmail-1.4.4/plugins/filters/spamoptions.php >--- squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php Mon Dec 27 16:03:57 2004 >+++ squirrelmail-1.4.4/plugins/filters/spamoptions.php Mon Jun 13 21:59:31 2005 >@@ -199,7 +199,7 @@ > echo html_tag( 'p', '', 'center' ) . > '[<a href="spamoptions.php?action=spam">' . _("Edit") . '</a>]' . > ' - [<a href="../../src/options.php">' . _("Done") . '</a>]</center><br /><br />'; >- printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.imap_utf7_decode_local($filters_spam_folder).'</b>':'[<i>'._("not set yet").'</i>]' ) ); >+ printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'</b>':'[<i>'._("not set yet").'</i>]' ) ); > echo '<br />'; > printf( _("Spam scan is limited to %s."), '<b>' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '</b>' ); > echo '</p>'. >diff -uwr squirrelmail-1.4.4.orig/plugins/listcommands/mailout.php squirrelmail-1.4.4/plugins/listcommands/mailout.php >--- squirrelmail-1.4.4.orig/plugins/listcommands/mailout.php Mon Dec 27 16:03:58 2004 >+++ squirrelmail-1.4.4/plugins/listcommands/mailout.php Mon Jun 13 21:59:31 2005 >@@ -25,14 +25,6 @@ > sqgetGlobalVar('body', $body, SQ_GET); > sqgetGlobalVar('action', $action, SQ_GET); > >-echo html_tag('p', '', 'left' ) . >-html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" . >- html_tag( 'tr', >- html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] ) >- ) . >- html_tag( 'tr' ) . >- html_tag( 'td', '', 'left' ); >- > switch ( $action ) { > case 'help': > $out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below."); >@@ -42,7 +34,19 @@ > break; > case 'unsubscribe': > $out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below."); >+default: >+ error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)), $color); >+ exit; > } >+ >+echo html_tag('p', '', 'left' ) . >+html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" . >+ html_tag( 'tr', >+ html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] ) >+ ) . >+ html_tag( 'tr' ) . >+ html_tag( 'td', '', 'left' ); >+ > > printf( $out_string, htmlspecialchars($send_to) ); > >diff -uwr squirrelmail-1.4.4.orig/plugins/newmail/newmail.php squirrelmail-1.4.4/plugins/newmail/newmail.php >--- squirrelmail-1.4.4.orig/plugins/newmail/newmail.php Mon Dec 27 16:03:58 2004 >+++ squirrelmail-1.4.4/plugins/newmail/newmail.php Mon Jun 13 21:59:31 2005 >@@ -22,6 +22,7 @@ > require_once(SM_PATH . 'functions/page_header.php'); > > sqGetGlobalVar('numnew', $numnew, SQ_GET); >+$numnew = (int)$numnew; > > displayHtmlHeader( _("New Mail"), '', FALSE ); > >diff -uwr squirrelmail-1.4.4.orig/plugins/spamcop/setup.php squirrelmail-1.4.4/plugins/spamcop/setup.php >--- squirrelmail-1.4.4.orig/plugins/spamcop/setup.php Mon Dec 27 16:03:58 2004 >+++ squirrelmail-1.4.4/plugins/spamcop/setup.php Mon Jun 13 21:59:31 2005 >@@ -75,6 +75,9 @@ > sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM); > sqgetGlobalVar('mailbox', $mailbox, SQ_FORM); > sqgetGlobalVar('startMessage', $startMessage, SQ_FORM); >+ if ( sqgetGlobalVar('startMessage', $startMessage, SQ_FORM) ) { >+ $startMessage = (int)$startMessage; >+ } > /* END GLOBALS */ > > // catch unset passed_ent_id >diff -uwr squirrelmail-1.4.4.orig/plugins/squirrelspell/modules/lang_change.mod squirrelmail-1.4.4/plugins/squirrelspell/modules/lang_change.mod >--- squirrelmail-1.4.4.orig/plugins/squirrelspell/modules/lang_change.mod Sat Jun 12 18:39:48 2004 >+++ squirrelmail-1.4.4/plugins/squirrelspell/modules/lang_change.mod Mon Jun 13 21:59:31 2005 >@@ -69,11 +69,11 @@ > $lang_array = explode( ',', $lang_string ); > $dsp_string = ''; > foreach( $lang_array as $a) { >- $dsp_string .= _(trim($a)) . ', '; >+ $dsp_string .= _(htmlspecialchars(trim($a))) . ', '; > } > $dsp_string = substr( $dsp_string, 0, -2 ); > $msg = '<p>' >- . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), '<strong>'.$dsp_string.'</strong>', '<strong>'._($lang_default).'</strong>') >+ . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), '<strong>'.$dsp_string.'</strong>', '<strong>'._(htmlspecialchars($lang_default)).'</strong>') > . '</p>'; > } else { > /** >diff -uwr squirrelmail-1.4.4.orig/src/addressbook.php squirrelmail-1.4.4/src/addressbook.php >--- squirrelmail-1.4.4.orig/src/addressbook.php Mon Dec 27 16:03:59 2004 >+++ squirrelmail-1.4.4/src/addressbook.php Mon Jun 13 21:59:31 2005 >@@ -279,7 +279,7 @@ > html_tag( 'tr', > html_tag( 'td', > "\n". '<strong><font color="' . $color[2] . >- '">' . _("ERROR") . ': ' . $abook->error . '</font></strong>' ."\n", >+ '">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '</font></strong>' ."\n", > 'center' ) > ), > 'center', '', 'width="100%"' ); >@@ -331,7 +331,7 @@ > html_tag( 'tr', > html_tag( 'td', > "\n". '<br /><strong><font color="' . $color[2] . >- '">' . _("ERROR") . ': ' . $formerror . '</font></strong>' ."\n", >+ '">' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '</font></strong>' ."\n", > 'center' ) > ), > 'center', '', 'width="100%"' ); >@@ -343,6 +343,7 @@ > /* Get and sort address list */ > $alist = $abook->list_addr(); > if(!is_array($alist)) { >+ $abook-error = htmlspecialchars($abook_error); > plain_error_message($abook->error, $color); > exit; > } >diff -uwr squirrelmail-1.4.4.orig/src/compose.php squirrelmail-1.4.4/src/compose.php >--- squirrelmail-1.4.4.orig/src/compose.php Mon Jan 3 16:06:28 2005 >+++ squirrelmail-1.4.4/src/compose.php Mon Jun 13 22:12:34 2005 >@@ -76,6 +76,11 @@ > sqgetGlobalVar('saved_draft',$saved_draft); > sqgetGlobalVar('delete_draft',$delete_draft); > sqgetGlobalVar('startMessage',$startMessage); >+if ( sqgetGlobalVar('startMessage',$startMessage) ) { >+ $startMessage = (int)$startMessage; >+} else { >+ $startMessage = 1; >+} > > /** POST VARS */ > sqgetGlobalVar('sigappend', $sigappend, SQ_POST); >diff -uwr squirrelmail-1.4.4.orig/src/printer_friendly_bottom.php squirrelmail-1.4.4/src/printer_friendly_bottom.php >--- squirrelmail-1.4.4.orig/src/printer_friendly_bottom.php Tue Dec 28 14:02:49 2004 >+++ squirrelmail-1.4.4/src/printer_friendly_bottom.php Mon Jun 13 21:59:31 2005 >@@ -33,7 +33,8 @@ > sqgetGlobalVar('passed_id', $passed_id, SQ_GET); > sqgetGlobalVar('mailbox', $mailbox, SQ_GET); > >-if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) ) { >+if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) || >+ ! preg_match('/^\d+(\.\d+)*$/', $passed_ent_id) ) { > $passed_ent_id = ''; > } > /* end globals */ >diff -uwr squirrelmail-1.4.4.orig/src/right_main.php squirrelmail-1.4.4/src/right_main.php >--- squirrelmail-1.4.4.orig/src/right_main.php Mon Dec 27 16:04:00 2004 >+++ squirrelmail-1.4.4/src/right_main.php Mon Jun 13 21:59:31 2005 >@@ -165,7 +165,7 @@ > > do_hook('right_main_after_header'); > if (isset($note)) { >- echo html_tag( 'div', '<b>' . $note .'</b>', 'center' ) . "<br />\n"; >+ echo html_tag( 'div', '<b>' . htmlspecialchars($note) .'</b>', 'center' ) . "<br />\n"; > } > > if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=61245">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 95937
:
61134
|
61189
| 61245
