Sanitize integer option fields - only digits allowed

[squirrelmail.git] / functions / options.php

diff --git a/functions/options.php b/functions/options.php
index 0935ebf80debac47483467c66ce8f6b88c04c954..aef6e97420ec50c6de4b1e8870bb2cab2583c3da 100644 (file)
--- a/functions/options.php
+++ b/functions/options.php
@@ -831,6 +831,21 @@ function save_option($option) {
         return;
     }
 
+    // if the widget is a selection list, make sure the new
+    // value is actually in the selection list and is not an
+    // injection attack
+    //
+    if ($option->type == SMOPT_TYPE_STRLIST
+     && !array_key_exists($option->new_value, $option->possible_values))
+        return;
+
+
+    // all other widgets except TEXTAREAs should never be allowed to have newlines
+    //
+    else if ($option->type != SMOPT_TYPE_TEXTAREA)
+        $option->new_value = str_replace(array("\r", "\n"), '', $option->new_value);
+
+
     global $data_dir;
 
     // edit lists: first add new elements to list, then
@@ -879,6 +894,15 @@ function save_option($option) {
           && empty($option->new_value)) 
         setPref($data_dir, $username, $option->name, SMPREF_OFF);
 
+    // For integer fields, make sure we only have digits...
+    // We'll be nice and instead of just converting to an integer,
+    // we'll physically remove each non-digit in the string.
+    //
+    else if ($option->type == SMOPT_TYPE_INTEGER) {
+        $option->new_value = preg_replace('/[^0-9]/', '', $option->new_value);
+        setPref($data_dir, $username, $option->name, $option->new_value);
+    }
+
     else
         setPref($data_dir, $username, $option->name, $option->new_value);