XSS fixes

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@9616 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/plugins/calendar/calendar.php b/plugins/calendar/calendar.php
index fe30b58c2c15920e28cc79e8f24bd6e259772cde..b87d694336df2c0041598a35d9966d42090cc898 100644 (file)
--- a/plugins/calendar/calendar.php
+++ b/plugins/calendar/calendar.php
@@ -34,16 +34,20 @@ require_once(SM_PATH . 'functions/html.php');
 
 /* get globals */
 
-if (isset($_GET['month'])) {
+// undo rg = on effects
+if (isset($month)) unset($month);
+if (isset($year))  unset($year);
+
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
     $month = $_GET['month'];
 }
-if (isset($_GET['year'])) {
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
     $year = $_GET['year'];
 }
-if (isset($_POST['year'])) {
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
     $year = $_POST['year'];
 }
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
     $month = $_POST['month'];
 }
 /* got 'em */

diff --git a/plugins/calendar/day.php b/plugins/calendar/day.php
index 72b2d1d80e7cc1d847b3463a03c2249f938ca948..d30676d27d8105dbe06db644f07c289ed9d0d267 100644 (file)
--- a/plugins/calendar/day.php
+++ b/plugins/calendar/day.php
@@ -32,22 +32,28 @@ require_once(SM_PATH . 'include/load_prefs.php');
 require_once(SM_PATH . 'functions/html.php');
 
 /* get globals */
-if (isset($_GET['year'])) {
+
+// undo rg = on effects
+if (isset($month)) unset($month);
+if (isset($year))  unset($year);
+if (isset($day))  unset($day);
+
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
     $year = $_GET['year'];
 }
-elseif (isset($_POST['year'])) {
+elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
     $year = $_POST['year'];
 }
-if (isset($_GET['month'])) {
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
     $month = $_GET['month'];
 }
-elseif (isset($_POST['month'])) {
+elseif (isset($_POST['month'])  && is_numeric($_POST['month'])) {
     $month = $_POST['month'];
 }
-if (isset($_GET['day'])) {
+if (isset($_GET['day']) && is_numeric($_GET['day'])) {
     $day = $_GET['day'];
 }
-elseif (isset($_POST['day'])) {
+elseif (isset($_POST['day'])  && is_numeric($_POST['day'])) {
     $day = $_POST['day'];
 }
 

diff --git a/plugins/calendar/event_create.php b/plugins/calendar/event_create.php
index 19e4e8802793462b4877d8674a5c0f0efbe4b39d..febd8375867dee08e32b4c20a598c6da964b2407 100644 (file)
--- a/plugins/calendar/event_create.php
+++ b/plugins/calendar/event_create.php
@@ -35,40 +35,53 @@ require_once(SM_PATH . 'functions/html.php');
 
 /* get globals */
 
-if (isset($_POST['year'])) {
-    $year = $_POST['year'];
-}
-elseif (isset($_GET['year'])) {
+// undo rg = on effects
+if (isset($month)) unset($month);
+if (isset($year))  unset($year);
+if (isset($day))  unset($day);
+if (isset($hour))  unset($hour);
+if (isset($minute))  unset($minute);
+if (isset($event_hour))  unset($event_hour);
+if (isset($event_minute))  unset($event_minute);
+if (isset($event_length))  unset($event_length);
+if (isset($event_priority))  unset($event_priority);
+
+
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
     $year = $_GET['year'];
 }
-if (isset($_POST['month'])) {
-    $month = $_POST['month'];
+elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
+    $year = $_POST['year'];
 }
-elseif (isset($_GET['month'])) {
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
     $month = $_GET['month'];
 }
-if (isset($_POST['day'])) {
-    $day = $_POST['day'];
+elseif (isset($_POST['month']) && is_numeric($_POST['month'])) {
+    $month = $_POST['month'];
 }
-elseif (isset($_GET['day'])) {
+if (isset($_GET['day']) && is_numeric($_GET['day'])) {
     $day = $_GET['day'];
 }
-if (isset($_POST['hour'])) {
+elseif (isset($_POST['day']) && is_numeric($_POST['day'])) {
+    $day = $_POST['day'];
+}
+
+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
     $hour = $_POST['hour'];
 }
-elseif (isset($_GET['hour'])) {
+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
     $hour = $_GET['hour'];
 }
-if (isset($_POST['event_hour'])) {
+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
     $event_hour = $_POST['event_hour'];
 }
-if (isset($_POST['event_minute'])) {
+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
     $event_minute = $_POST['event_minute'];
 }
-if (isset($_POST['event_length'])) {
+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
     $event_length = $_POST['event_length'];
 }
-if (isset($_POST['event_priority'])) {
+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
     $event_priority = $_POST['event_priority'];
 }
 if (isset($_POST['event_title'])) {

diff --git a/plugins/calendar/event_edit.php b/plugins/calendar/event_edit.php
index c937e9aea9f0c1804c0e3bdfbc87cd3125fcc471..8a8397571478f80232a96d1fe1489120de27458f 100644 (file)
--- a/plugins/calendar/event_edit.php
+++ b/plugins/calendar/event_edit.php
@@ -34,25 +34,40 @@ require_once(SM_PATH . 'functions/html.php');
 
 /* get globals */
 
+// undo rg = on effects
+if (isset($month)) unset($month);
+if (isset($year))  unset($year);
+if (isset($day))  unset($day);
+if (isset($hour))  unset($hour);
+if (isset($minute))  unset($minute);
+if (isset($event_year))  unset($event_year);
+if (isset($event_month))  unset($event_month);
+if (isset($event_day))  unset($event_day);
+if (isset($event_hour))  unset($event_hour);
+if (isset($event_minute))  unset($event_minute);
+if (isset($event_length))  unset($event_length);
+if (isset($event_priority))  unset($event_priority);
+
 if (isset($_POST['updated'])) {
     $updated = $_POST['updated'];
 }
-if (isset($_POST['event_year'])) {
+
+if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) {
     $event_year = $_POST['event_year'];
 }
-if (isset($_POST['event_month'])) {
+if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) {
     $event_month = $_POST['event_month'];
 }
-if (isset($_POST['event_day'])) {
+if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) {
     $event_day = $_POST['event_day'];
 }
-if (isset($_POST['event_hour'])) {
+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
     $event_hour = $_POST['event_hour'];
 }
-if (isset($_POST['event_minute'])) {
+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
     $event_minute = $_POST['event_minute'];
 }
-if (isset($_POST['event_length'])) {
+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
     $event_length = $_POST['event_length'];
 }
 if (isset($_POST['event_title'])) {
@@ -64,40 +79,37 @@ if (isset($_POST['event_text'])) {
 if (isset($_POST['send'])) {
     $send = $_POST['send'];
 }
-if (isset($_POST['event_priority'])) {
+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
     $event_priority = $_POST['event_priority'];
 }
 if (isset($_POST['confirmed'])) {
     $confirmed = $_POST['confirmed'];
 }
-if (isset($_POST['year'])) {
+
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
     $year = $_POST['year'];
-}
-elseif (isset($_GET['year'])) {
+} elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
     $year = $_GET['year'];
 }
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
     $month = $_POST['month'];
-}
-elseif (isset($_GET['month'])) {
+} elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
     $month = $_GET['month'];
 }
-if (isset($_POST['day'])) {
+if (isset($_POST['day']) && is_numeric($_POST['day'])) {
     $day = $_POST['day'];
-}
-elseif (isset($_GET['day'])) {
+} elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
     $day = $_GET['day'];
 }
-if (isset($_POST['hour'])) {
+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
     $hour = $_POST['hour'];
-}
-elseif (isset($_GET['hour'])) {
+} elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
     $hour = $_GET['hour'];
 }
-if (isset($_POST['minute'])) {
+if (isset($_POST['minute']) && is_numeric($_POST['minute'])) {
     $minute = $_POST['minute'];
 }
-elseif (isset($_GET['minute'])) {
+elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) {
     $minute = $_GET['minute'];
 }
 /* got 'em */

diff --git a/plugins/listcommands/mailout.php b/plugins/listcommands/mailout.php
index c85d2680c9dccd61e8a933066a6dbe6280505009..58dfb7aed2ab81a028677353535eb24a47e4bde7 100644 (file)
--- a/plugins/listcommands/mailout.php
+++ b/plugins/listcommands/mailout.php
@@ -33,14 +33,6 @@ sqgetGlobalVar('action',  $action,  SQ_GET);
 displayPageHeader($color, $mailbox);
 $fieldsdescr = listcommands_fieldsdescr();
 
-echo html_tag('p', '', 'left' ) .
-    html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
-    html_tag( 'tr',
-            html_tag( 'th', _("Mailinglist") . ': ' . $fieldsdescr[$action], '', $color[9] )
-            ) .
-    html_tag( 'tr' ) .
-    html_tag( 'td', '', 'left' );
-
 switch ( $action ) {
     case 'help':
         $out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below.");
@@ -50,8 +42,20 @@ switch ( $action ) {
         break;
     case 'unsubscribe':
         $out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below.");
+        break;
+    default:
+        error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)), $color);
+        exit;
 }
 
+echo html_tag('p', '', 'left' ) .
+    html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
+    html_tag( 'tr',
+            html_tag( 'th', _("Mailinglist") . ': ' . $fieldsdescr[$action], '', $color[9] )
+            ) .
+    html_tag( 'tr' ) .
+    html_tag( 'td', '', 'left' );
+
 printf($out_string, '"' . htmlspecialchars($send_to) . '"');
 
 echo addForm(SM_PATH . 'src/compose.php', 'post');

diff --git a/plugins/newmail/newmail.php b/plugins/newmail/newmail.php
index 3c1d65ec5f31629f8e278e758146896760665835..82a95a765697c37df6c598441e9f44b2cb734176 100644 (file)
--- a/plugins/newmail/newmail.php
+++ b/plugins/newmail/newmail.php
@@ -19,6 +19,7 @@ define('SM_PATH','../../');
 require_once(SM_PATH . 'include/validate.php');
 
 sqGetGlobalVar('numnew', $numnew, SQ_GET);
+$numnew = (int)$numnew;
 
    displayHtmlHeader( _("New Mail"), '', FALSE );
 

diff --git a/plugins/spamcop/setup.php b/plugins/spamcop/setup.php
index 220f2748a059152e99edd74f7b3bdbea5d9d760d..d73d72cca0b867c0eafa471d93c0c1fbc0895bb4 100755 (executable)
--- a/plugins/spamcop/setup.php
+++ b/plugins/spamcop/setup.php
@@ -83,7 +83,9 @@ function spamcop_show_link() {
     sqgetGlobalVar('passed_id',    $passed_id,    SQ_FORM);
     sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM);
     sqgetGlobalVar('mailbox',      $mailbox,      SQ_FORM);
-    sqgetGlobalVar('startMessage', $startMessage, SQ_FORM);
+    if ( sqgetGlobalVar('startMessage', $startMessage, SQ_FORM) ) {
+        $startMessage = (int)$startMessage;
+    }
     /* END GLOBALS */
 
     // catch unset passed_ent_id

diff --git a/plugins/squirrelspell/modules/lang_change.mod b/plugins/squirrelspell/modules/lang_change.mod
index 0b93a61ab485ea78458b98fd5a555369bd23ecf6..cf738e63a71742e3e6aabc88e65d1c871c0b3d78 100644 (file)
--- a/plugins/squirrelspell/modules/lang_change.mod
+++ b/plugins/squirrelspell/modules/lang_change.mod
@@ -39,7 +39,7 @@ foreach ($use_langs as $lang) {
 if (sizeof($new_langs)>1) {
   $dsp_string = '';
   foreach( $new_langs as $a) {
-    $dsp_string .= _(trim($a)) . ', ';
+    $dsp_string .= _(htmlspecialchars(trim($a))) . ', ';
   }
   // remove last comma and space
   $dsp_string = substr( $dsp_string, 0, -2 );

diff --git a/src/compose.php b/src/compose.php
index eab20f32332609b035e2502ff9230b22e1a85952..dd8c58ac5f4abf83a78143cf920640ae24d9d2bf 100644 (file)
--- a/src/compose.php
+++ b/src/compose.php
@@ -77,7 +77,11 @@ sqgetGlobalVar('draft_id',$draft_id);
 sqgetGlobalVar('ent_num',$ent_num);
 sqgetGlobalVar('saved_draft',$saved_draft);
 sqgetGlobalVar('delete_draft',$delete_draft);
-sqgetGlobalVar('startMessage',$startMessage);
+if ( sqgetGlobalVar('startMessage',$startMessage) ) {
+    $startMessage = (int)$startMessage;
+} else {
+    $startMessage = 1;
+}
 
 /** POST VARS */
 sqgetGlobalVar('sigappend',             $sigappend,             SQ_POST);
@@ -388,7 +392,7 @@ if ($draft) {
                 echo '   <br><br><center><a href="' . $location
                     . '/compose.php?saved_sent=yes&amp;session=' . $composesession . '">'
                     . _("Return") . '</a></center>';
-            }            
+            }
             exit();
         } else {
             if ( !isset($pageheader_sent) || !$pageheader_sent ) {
@@ -399,7 +403,7 @@ if ($draft) {
                     . '/right_main.php?mailbox=' . urlencode($draft_folder)
                     . '&amp;startMessage=1&amp;note=' . urlencode($draft_message) .'">'
                     . _("Return") . '</a></center>';
-            }            
+            }
             exit();
         }
     }

diff --git a/src/right_main.php b/src/right_main.php
index c8380e7d611afd87807e037a7d585dbaae95cb79..d5285890f6a965dbd3007900d43243f99ba14eb5 100644 (file)
--- a/src/right_main.php
+++ b/src/right_main.php
@@ -17,6 +17,7 @@
  * Path for SquirrelMail required files.
  * @ignore
  */
+//xdebug_start_profiling();
 define('SM_PATH','../');
 
 /* SquirrelMail required files. */
@@ -292,7 +293,7 @@ if (isset($mail_sent) && $mail_sent == 'yes') {
     $note = _("Your Message has been sent.");
 }
 if (isset($note)) {
-    echo html_tag( 'div', '<b>' . $note .'</b>', 'center' ) . "<br />\n";
+    echo html_tag( 'div', '<b>' . htmlspecialchars($note) .'</b>', 'center' ) . "<br />\n";
 }
 
 if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {
@@ -373,5 +374,8 @@ echo '</body></html>';
 /* add the mailbox to the cache */
 $mailbox_cache[$account.'_'.$aMailbox['NAME']] = $aMailbox;
 sqsession_register($mailbox_cache,'mailbox_cache');
+echo "<br>".__FILE__;
+//xdebug_dump_function_profile(4);
+
 
 ?>
\ No newline at end of file

diff --git a/src/search.php b/src/search.php
index b08778f5e50e55c46e8c832de7780fa37066365c..a5765d712d92651586673c37553b87a8c524c60b 100644 (file)
--- a/src/search.php
+++ b/src/search.php
@@ -1387,7 +1387,7 @@ if (isset($aMailbox['FORWARD_SESSION'])) {
 }
 
 if (isset($note)) {
-    echo html_tag( 'div', '<b>' . $note .'</b>', 'center' ) . "<br />\n";
+    echo html_tag( 'div', '<b>' . htmlspecialchars($note) .'</b>', 'center' ) . "<br />\n";
 }