From: kink Date: Tue, 31 Jan 2006 07:27:44 +0000 (+0000) Subject: - Security: Fix possible cross site scripting through the right_main X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=02d8345e01f33bbbc7715287e9f1ea090b27b1c4;p=squirrelmail.git - Security: Fix possible cross site scripting through the right_main parameter of webmail.php. This now uses a whitelist of acceptable values. [CVE-2006-0188] git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10618 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- diff --git a/ChangeLog b/ChangeLog index 6acfc9ab..22917a51 100644 --- a/ChangeLog +++ b/ChangeLog @@ -534,7 +534,9 @@ Version 1.5.1 -- CVS based templates. - Added footer template to every page. - Added experimental IMAP and SMTP STARTTLS extension support. - + - Security: Fix possible cross site scripting through the right_main + parameter of webmail.php. This now uses a whitelist of acceptable + values. [CVE-2006-0188] Version 1.5.0 - 2 February 2004 ------------------------------- diff --git a/src/webmail.php b/src/webmail.php index 136415c1..39c1772b 100644 --- a/src/webmail.php +++ b/src/webmail.php @@ -149,22 +149,28 @@ if (empty($right_frame) || (strpos(urldecode($right_frame), '//') !== false)) { $right_frame = ''; } -if ($right_frame == 'right_main.php') { - $urlMailbox = urlencode($mailbox); - $right_frame_url = "right_main.php?mailbox=$urlMailbox" +switch($right_frame) { + case 'right_main.php': + $right_frame_url = "right_main.php?mailbox=".urlencode($mailbox) . (!empty($sort)?"&sort=$sort":'') . (!empty($startMessage)?"&startMessage=$startMessage":''); -} elseif ($right_frame == 'options.php') { - $right_frame_url = 'options.php'; -} elseif ($right_frame == 'folders.php') { - $right_frame_url = 'folders.php'; -} elseif ($right_frame == 'compose.php') { - $right_frame_url = 'compose.php?' . $mailto; -} else if ($right_frame == '') { - $right_frame_url = 'right_main.php'; -} else { - $right_frame_url = htmlspecialchars($right_frame); -} + break; + case 'options.php': + $right_frame_url = 'options.php'; + break; + case 'folders.php': + $right_frame_url = 'folders.php'; + break; + case 'compose.php': + $right_frame_url = 'compose.php?' . $mailto; + break; + case '': + $right_frame_url = 'right_main.php'; + break; + default: + $right_frame_url = urlencode($right_frame); + break; +} $left_frame = '\n";