Sanitize integer option fields - only digits allowed

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14247 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/functions/options.php b/functions/options.php
index a09f3a2e41840e2ec3917780c912b3ab21303f37..aef6e97420ec50c6de4b1e8870bb2cab2583c3da 100644 (file)
--- a/functions/options.php
+++ b/functions/options.php
@@ -894,6 +894,15 @@ function save_option($option) {
           && empty($option->new_value)) 
         setPref($data_dir, $username, $option->name, SMPREF_OFF);
 
+    // For integer fields, make sure we only have digits...
+    // We'll be nice and instead of just converting to an integer,
+    // we'll physically remove each non-digit in the string.
+    //
+    else if ($option->type == SMOPT_TYPE_INTEGER) {
+        $option->new_value = preg_replace('/[^0-9]/', '', $option->new_value);
+        setPref($data_dir, $username, $option->name, $option->new_value);
+    }
+
     else
         setPref($data_dir, $username, $option->name, $option->new_value);