From: kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Wed, 9 Nov 2005 22:45:57 +0000 (+0000)
Subject: - Prevent right_frame to be set to '//www.example.com'.
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=0a03f924cd9f7a2eea57c609789f2e08d73c64c3;p=squirrelmail.git

- Prevent right_frame to be set to '//example.com'.


git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10315 7612ce4b-ef26-0410-bec9-ea0150e637f0
---

diff --git a/ChangeLog b/ChangeLog
index 03284a68..b991ef26 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -478,6 +478,7 @@ Version 1.5.1 -- CVS
   - Make test for IE6 in SendDownloadHeaders also match versions higher
     than 6 (#1339211).
   - Allow double quote to be used in MOTD (#1276959).
+  - Prevent right_frame to be set to '//www.example.com'.
 
 Version 1.5.0 - 2 February 2004
 -------------------------------
diff --git a/src/webmail.php b/src/webmail.php
index a4ea43f7..36eb29a9 100644
--- a/src/webmail.php
+++ b/src/webmail.php
@@ -140,9 +140,12 @@ else {
  *
  * This was done to create a pure HTML way of refreshing the folder list since
  * we would like to use as little Javascript as possible.
+ *
+ * The test for // should catch any attempt to include off-site webpages into
+ * our frameset.
  */
 
-if (empty($right_frame) || (strpos(urldecode($right_frame), '://'))) {
+if (empty($right_frame) || (strpos(urldecode($right_frame), '//') !== false)) {
     $right_frame = '';
 }
 
@@ -182,4 +185,4 @@ echo $output;
 
 ?>
 </frameset>
-</html>
\ No newline at end of file
+</html>