Fix again for Internet Explorer's stupidity of decoding characters, then

executing it blindly.  This code was fixed originally, but apparently some
how didn't work right.  I checked on HastyMail and did a file comparision,
and noticed that one version of the same filter doesn't use \W... on removal
of that in the regex, the function seemed to correctly strip out bad functions

See http://www.securityfocus.com/archive/1/340118 for further information.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@6268 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/functions/mime.php b/functions/mime.php
index 471d23322cd1fb78e93238b4a89fefaa1161391f..249cea364dffdfb0bcbf6f3db954d97cad36bbbe 100644 (file)
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -850,6 +850,7 @@ function sq_unbackslash($attvalue){
     /**
      * Remove any backslashes. See if there are any first.
      */
+
     if (strstr($attvalue, '\\') !== false){
         $attvalue = stripslashes($attvalue);
     }
@@ -1282,13 +1283,14 @@ function sq_getnxtag($body, $offset){
  * @param  $attvalue A string to run entity check against.
  * @return           Translated value.
  */
+
 function sq_deent($attvalue){
     $me = 'sq_deent';
     /**
      * See if we have to run the checks first. All entities must start
      * with "&".
      */
-    if (strpos($attvalue, "&") === false){
+    if (strpos($attvalue, '&') === false){
         return $attvalue;
     }
     /**
@@ -1299,22 +1301,22 @@ function sq_deent($attvalue){
      * Leave " in, as it can mess us up.
      */
     $trans = array_flip($trans);
-    unset($trans{"""});
+    unset($trans{'"'});
     while (list($ent, $val) = each($trans)){
-        $attvalue = preg_replace("/$ent*(\W)/si", "$val\\1", $attvalue);
+        $attvalue = preg_replace('/' . $ent . '*/si', $val, $attvalue);
     }
     /**
      * Now translate numbered entities from 1 to 255 if needed.
      */
-    if (strpos($attvalue, "#") !== false){
+    if (strpos($attvalue, '#') !== false){
         $omit = Array(34, 39);
-        for ($asc=1; $asc<256; $asc++){
+        for ($asc = 256; $asc >= 0; $asc--){
             if (!in_array($asc, $omit)){
                 $chr = chr($asc);
-                $attvalue = preg_replace("/\&#0*$asc;*(\D)/si", "$chr\\1",
-                                         $attvalue);
-                $attvalue = preg_replace("/\&#x0*".dechex($asc).";*(\W)/si",
-                                         "$chr\\1", $attvalue);
+                $octrule = '/\&#0*' . $asc . ';*/si';
+                $hexrule = '/\&#x0*' . dechex($asc) . ';*/si';
+                $attvalue = preg_replace($octrule, $chr, $attvalue);
+                $attvalue = preg_replace($hexrule, $chr, $attvalue);
             }
         }
     }