X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=functions%2Fmime.php;h=14caa71b5a4cb6c447bd5e6fef1bb3287faab272;hb=cca46357afd0ea48aec2b7f7904c67b430f36fc3;hp=c28ba03ac28919e12e155d5180a6e30e62946327;hpb=c9d78ab426643e10c76057873f6a4a284595473a;p=squirrelmail.git

diff --git a/functions/mime.php b/functions/mime.php
index c28ba03a..14caa71b 100644
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -102,7 +102,7 @@ function mime_parse_structure ($structure, $ent_id) {
         $start = $end+1;
         $end = mime_match_parenthesis ($start, $structure);
         /* add "forgotten"  parent entities (alternative and relative) */
-	if (strpos($ent_id, '0')  || strpos($ent_id) == 0) { 
+	if (strpos($ent_id, '0')  || strpos($ent_id, '0') == 0) { 
 	    $str = substr($structure, $end+1 );
 	    $startprop = strrpos($str,'(');
 	    $endprop   = strrpos($str,')');
@@ -801,8 +801,10 @@ function formatAttachments($message, $ent_id, $mailbox, $id) {
 	$header = $message->header;
         $type0 = strtolower($header->type0);
         $type1 = strtolower($header->type1);
-        $name = decodeHeader($header->name);
-
+	$name = '';
+	if (isset($header->name)) {
+    	    $name = decodeHeader($header->name);
+	}
 	if ($type0 =='message' && $type1 == 'rfc822') {
 	 
             $filename = decodeHeader($message->header->filename);
@@ -1083,12 +1085,16 @@ function MagicHTML( $body, $id ) {
             $pos = $i + 1;
             $tag = '';
             while ($body{$pos} == ' ' || $body{$pos} == "\t" ||
-                   $body{$pos} == "\n" ) {
+                   $body{$pos} == "\n") {
                 $pos ++;
             }
             while (strlen($tag) < 4 && $body{$pos} != ' ' &&
                    $body{$pos} != "\t" && $body{$pos} != "\n" &&
                    $pos < $j ) {
+                if ($body{$pos} == "<"){
+                    $tag = '';
+                    $pos++;
+                }
                 $tag .= $body{$pos};
                 $pos ++;
             }
@@ -1355,6 +1361,22 @@ function stripEvent( &$i, $j, &$body, $id, $base ) {
 
     while ( $body{$i} <> '>' &&
            $i < $j ) {
+        /**
+         * [ 545933 ] Cross-site scripting vulnerability
+         * <hr>
+         * <img x="<foo>" src=javascript:alert(1) y="</foo>">
+         * <hr>
+         *
+         * This code will ignore anything within the quotes
+         * so they don't mess us up.
+         */
+        if ( $body{$i} == '"' || $body{$i} == "'" ){
+            $quotechar = $body{$i};
+            do {
+                $ret .= $body{$i};
+                $i++;
+            } while ($body{$i} != $quotechar && $i < $j);
+        }
         $etg = strtolower($body{$i}.$body{$i+1}.$body{$i+2});
         switch( $etg ) {
         case 'src':