From 2f8c79ee4f62a50c854141fb0ff2f44d8f5f5b9c Mon Sep 17 00:00:00 2001 From: pdontthink Date: Thu, 29 Dec 2011 06:56:03 +0000 Subject: [PATCH] Sanitize integer option fields - only digits allowed git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14247 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- functions/options.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/functions/options.php b/functions/options.php index a09f3a2e..aef6e974 100644 --- a/functions/options.php +++ b/functions/options.php @@ -894,6 +894,15 @@ function save_option($option) { && empty($option->new_value)) setPref($data_dir, $username, $option->name, SMPREF_OFF); + // For integer fields, make sure we only have digits... + // We'll be nice and instead of just converting to an integer, + // we'll physically remove each non-digit in the string. + // + else if ($option->type == SMOPT_TYPE_INTEGER) { + $option->new_value = preg_replace('/[^0-9]/', '', $option->new_value); + setPref($data_dir, $username, $option->name, $option->new_value); + } + else setPref($data_dir, $username, $option->name, $option->new_value); -- 2.25.1