From ef8d36adf548f8e9f4f4ca3f5ee23cd77bd99347 Mon Sep 17 00:00:00 2001
From: jangliss <jangliss@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Thu, 20 Jan 2005 20:35:21 +0000
Subject: [PATCH] - XSS fixes in src/webmail.php - Fixes for undefined varibles
 in src/webmail.php

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@8684 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 ChangeLog       |  3 ++-
 src/webmail.php | 19 ++++++++++++++++---
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 94669557..87bc602c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -187,7 +187,8 @@ Version 1.5.1 -- CVS
     options from Display Preferences there; also move some around within
     Display Preferences.
   - Security: Fix possible file/offsite inclusion in src/webmail.php.
-    [CAN-2005-0075]
+  - Security: Fix possible XSS issues in src/webmail.php.
+  - Fix undefined variables in src/webmail.php.
 
 Version 1.5.0
 --------------------
diff --git a/src/webmail.php b/src/webmail.php
index 1f3dd9ce..000efe97 100644
--- a/src/webmail.php
+++ b/src/webmail.php
@@ -41,6 +41,18 @@ sqgetGlobalVar('username', $username, SQ_SESSION);
 sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION);
 sqgetGlobalVar('onetimepad', $onetimepad, SQ_SESSION);
 
+if (sqgetGlobalVar('sort', $sort)) {
+    $sort = (int) $sort;
+}
+
+if (sqgetGlobalVar('startMessage', $startMessage)) {
+    $startMessage = (int) $startMessage;
+}
+
+if (!sqgetGlobalVar('mailbox',$mailbox)) {
+    $mailbox = 'INBOX';
+}
+
 sqgetGlobalVar('right_frame', $right_frame, SQ_GET);
 
 if ( isset($_SESSION['session_expired_post']) ) {
@@ -136,8 +148,9 @@ if (empty($right_frame) || (strpos(urldecode($right_frame), '://'))) {
 
 if ($right_frame == 'right_main.php') {
     $urlMailbox = urlencode($mailbox);
-    $right_frame_url =
-        "right_main.php?mailbox=$urlMailbox&amp;sort=$sort&amp;startMessage=$startMessage";
+    $right_frame_url = "right_main.php?mailbox=$urlMailbox"
+                       . (!empty($sort)?"&amp;sort=$sort":'')
+                       . (!empty($startMessage)?"&amp;startMessage=$startMessage":'');
 } elseif ($right_frame == 'options.php') {
     $right_frame_url = 'options.php';
 } elseif ($right_frame == 'folders.php') {
@@ -147,7 +160,7 @@ if ($right_frame == 'right_main.php') {
 } else if ($right_frame == '') {
     $right_frame_url = 'right_main.php';
 } else {
-    $right_frame_url =  $right_frame;
+    $right_frame_url =  htmlspecialchars($right_frame);
 }
 
 $left_frame  = '<frame src="left_main.php" name="left" frameborder="1" title="'.
-- 
2.25.1