From a28de4194b8f41675c0034aeabee86ab35a8c00f Mon Sep 17 00:00:00 2001 From: kink Date: Thu, 21 May 2009 17:11:22 +0000 Subject: [PATCH] The shell escaping fix in map_yp_alias (CVE-2009-1579) was incomplete. Thanks Michal Hlavinka for noticing this. [CVE-2009-1381] git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13734 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- doc/ChangeLog | 3 ++- functions/imap_general.php | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index d9efb56c..4eb9f53f 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -304,7 +304,8 @@ Version 1.5.2 - SVN also includes general cleanup of that page (Thanks to Niels Teusink). [also CVE-2009-1578] - Fixed unsanitized shell command in example IMAP username mapping - function (map_yp_alias) (Thanks to Niels Teusink). [CVE-2009-1579] + function (map_yp_alias) (Thanks to Niels Teusink). + [CVE-2009-1579, CVE-2009-1381] - Fixed session fixation issues where someone who can modify a user's cookies could gain control of their login session. The SquirrelMail base URI is now uniformly generated, extraneous cookies are cleaned diff --git a/functions/imap_general.php b/functions/imap_general.php index 0121a210..2b0b0cf6 100755 --- a/functions/imap_general.php +++ b/functions/imap_general.php @@ -1436,6 +1436,7 @@ function sqimap_get_user_server ($imap_server, $username) { * @since 1.3.0 */ function map_yp_alias($username) { - $yp = `ypmatch ' . escapeshellarg($username) . ' aliases`; + $safe_username = escapeshellarg($username); + $yp = `ypmatch $safe_username aliases`; return chop(substr($yp, strlen($username)+1)); } -- 2.25.1