X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;ds=sidebyside;f=functions%2Foptions.php;h=5bb582c1547600d2d40a2702adba6fb1ace82658;hb=d9b8769ca92973a03c12a6bfffd44d5b6885d2be;hp=8e96b60a5f76e02497b7981dd9193325fc313cc5;hpb=d4e46166df04792c6b939356ea5dfda8e47bba7b;p=squirrelmail.git diff --git a/functions/options.php b/functions/options.php index 8e96b60a..5bb582c1 100644 --- a/functions/options.php +++ b/functions/options.php @@ -5,7 +5,7 @@ * * Functions needed to display the options pages. * - * @copyright © 1999-2009 The SquirrelMail Project Team + * @copyright 1999-2012 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -831,6 +831,21 @@ function save_option($option) { return; } + // if the widget is a selection list, make sure the new + // value is actually in the selection list and is not an + // injection attack + // + if ($option->type == SMOPT_TYPE_STRLIST + && !array_key_exists($option->new_value, $option->possible_values)) + return; + + + // all other widgets except TEXTAREAs should never be allowed to have newlines + // + else if ($option->type != SMOPT_TYPE_TEXTAREA) + $option->new_value = str_replace(array("\r", "\n"), '', $option->new_value); + + global $data_dir; // edit lists: first add new elements to list, then @@ -879,6 +894,15 @@ function save_option($option) { && empty($option->new_value)) setPref($data_dir, $username, $option->name, SMPREF_OFF); + // For integer fields, make sure we only have digits... + // We'll be nice and instead of just converting to an integer, + // we'll physically remove each non-digit in the string. + // + else if ($option->type == SMOPT_TYPE_INTEGER) { + $option->new_value = preg_replace('/[^0-9]/', '', $option->new_value); + setPref($data_dir, $username, $option->name, $option->new_value); + } + else setPref($data_dir, $username, $option->name, $option->new_value);