From 0a03f924cd9f7a2eea57c609789f2e08d73c64c3 Mon Sep 17 00:00:00 2001 From: kink Date: Wed, 9 Nov 2005 22:45:57 +0000 Subject: [PATCH] - Prevent right_frame to be set to '//www.example.com'. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10315 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- ChangeLog | 1 + src/webmail.php | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 03284a68..b991ef26 100644 --- a/ChangeLog +++ b/ChangeLog @@ -478,6 +478,7 @@ Version 1.5.1 -- CVS - Make test for IE6 in SendDownloadHeaders also match versions higher than 6 (#1339211). - Allow double quote to be used in MOTD (#1276959). + - Prevent right_frame to be set to '//www.example.com'. Version 1.5.0 - 2 February 2004 ------------------------------- diff --git a/src/webmail.php b/src/webmail.php index a4ea43f7..36eb29a9 100644 --- a/src/webmail.php +++ b/src/webmail.php @@ -140,9 +140,12 @@ else { * * This was done to create a pure HTML way of refreshing the folder list since * we would like to use as little Javascript as possible. + * + * The test for // should catch any attempt to include off-site webpages into + * our frameset. */ -if (empty($right_frame) || (strpos(urldecode($right_frame), '://'))) { +if (empty($right_frame) || (strpos(urldecode($right_frame), '//') !== false)) { $right_frame = ''; } @@ -182,4 +185,4 @@ echo $output; ?> - \ No newline at end of file + -- 2.25.1