Fix for possible remote file inclusion

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@8680 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/ChangeLog b/ChangeLog
index 04cb4ecc93ca94b1e6766af7b68b6eda785bd077..9466955786ddc400510a4e607cf26c75ffc6038c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -180,12 +180,14 @@ Version 1.5.1 -- CVS
   - Max upload file size now correctly handles a '-1' value, meaning
     unlimited. (#1094569).
   - Security: Added hook for Preferences Backend to resolve potential
-    file inclusions. [CAN-2005-0075] 
+    file inclusions. [CAN-2005-0075]
   - Remove Printer Friendly Clean Display config option, the cleaning
     is now always done.
   - Create new Options section "Compose Preferences" and move some
     options from Display Preferences there; also move some around within
     Display Preferences.
+  - Security: Fix possible file/offsite inclusion in src/webmail.php.
+    [CAN-2005-0075]
 
 Version 1.5.0
 --------------------

diff --git a/src/webmail.php b/src/webmail.php
index 243314e0b569777ce5a677811880839c300cd77c..1f3dd9ce72630f583542e0d756cdf13f87d7ff51 100644 (file)
--- a/src/webmail.php
+++ b/src/webmail.php
@@ -129,9 +129,11 @@ else {
  * This was done to create a pure HTML way of refreshing the folder list since
  * we would like to use as little Javascript as possible.
  */
-if (!isset($right_frame)) {
+
+if (empty($right_frame) || (strpos(urldecode($right_frame), '://'))) {
     $right_frame = '';
 }
+
 if ($right_frame == 'right_main.php') {
     $urlMailbox = urlencode($mailbox);
     $right_frame_url =
@@ -166,4 +168,4 @@ if($ret != '') {
 echo $output;
 ?>
 </frameset>
-</html>
\ No newline at end of file
+</html>