From f43698c16073faebd44898def87a8c40df8f4530 Mon Sep 17 00:00:00 2001
From: pdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Mon, 11 May 2009 22:04:40 +0000
Subject: [PATCH] Sanitize decrypt_headers.php form input (base64 decoding is
 not the same as sanitizing), general cleanup and grammatical fixes.  Thanks
 to Niels Teusink.  (also CVE-2009-1578)

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13671 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 contrib/decrypt_headers.php | 33 ++++++++++++++++++++-------------
 doc/ChangeLog               |  5 ++++-
 2 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/contrib/decrypt_headers.php b/contrib/decrypt_headers.php
index a8d7ff1d..f053ed98 100644
--- a/contrib/decrypt_headers.php
+++ b/contrib/decrypt_headers.php
@@ -60,23 +60,30 @@ echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"'."\n"
     ."</head><body>";
 
 if (sqgetGlobalVar('submit',$submit,SQ_POST)) {
+    $continue = TRUE;
     if (! sqgetGlobalVar('secret',$secret,SQ_POST) ||
-        empty($secret))
-        echo "<p>You must enter encryption key.</p>\n";
+        empty($secret)) {
+        $continue = FALSE;
+        echo "<p>You must enter an encryption key.</p>\n";
+    }
     if (! sqgetGlobalVar('enc_string',$enc_string,SQ_POST) ||
-        empty($enc_string))
-        echo "<p>You must enter encrypted string.</p>\n";
+        empty($enc_string)) {
+        $continue = FALSE;
+        echo "<p>You must enter an encrypted string.</p>\n";
+    }
 
-    if (isset($enc_string) && ! base64_decode($enc_string)) {
-        echo "<p>Encrypted string should be BASE64 encoded.<br />\n"
-            ."Please enter all characters that are listed after header name.</p>\n";
-    } elseif (isset($secret)) {
-        $string=OneTimePadDecrypt($enc_string,base64_encode($secret));
+    if ($continue) {
+        if (isset($enc_string) && ! base64_decode($enc_string)) {
+            echo "<p>Encrypted string should be BASE64 encoded.<br />\n"
+                ."Please enter all characters that are listed after header name.</p>\n";
+        } elseif (isset($secret)) {
+            $string=OneTimePadDecrypt($enc_string,base64_encode($secret));
 
-        if (sqgetGlobalVar('ip_addr',$is_addr,SQ_POST)) {
-            $string=hex2ip($string);
+            if (sqgetGlobalVar('ip_addr',$is_addr,SQ_POST)) {
+                $string=hex2ip($string);
+            }
+            echo "<p>Decoded string: ".htmlspecialchars($string)."</p>\n";
         }
-        echo "<p>Decoded string: ".$string."</p>\n";
     }
     echo "<hr />";
 }
@@ -85,7 +92,7 @@ if (sqgetGlobalVar('submit',$submit,SQ_POST)) {
 <p>
 Secret key: <input type="password" name="secret"><br />
 Encrypted string: <input type="text" name="enc_string"><br />
-Check, if it is an address string: <input type="checkbox" name="ip_addr" /><br />
+<label for="ip_addr">Check here if you are decoding an address string (FromHash/ProxyHash): </label><input type="checkbox" name="ip_addr" id="ip_addr" /><br />
 <button type="submit" name="submit" value="submit">Submit</button>
 </p>
 </form>
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 0eb45944..234feac5 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -296,8 +296,11 @@ Version 1.5.2 - SVN
   - Remove ability for HTML emails to use CSS positioning to overlay
     SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581]
   - Fixed improper sanitizing of PHP_SELF and the lack of sanitizing of
-    QUERY_STRING server environment variables. (Thanks to Niels Teusink
+    QUERY_STRING server environment variables (Thanks to Niels Teusink
     and Christian Balzer). [CVE-2009-1578]
+  - Fixed the lack of sanitizing of contrib/decrypt_headers.php input;
+    also includes general cleanup of that page (Thanks to Niels Teusink).
+    [also CVE-2009-1578]
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------
-- 
2.25.1