- Prevent right_frame to be set to '//www.example.com'.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10315 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/ChangeLog b/ChangeLog
index 03284a6816bd85cbe5a87a643e11a7577b5200e9..b991ef261cbf2e9af0c011969d86f53c93ab3aa9 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -478,6 +478,7 @@ Version 1.5.1 -- CVS
   - Make test for IE6 in SendDownloadHeaders also match versions higher
     than 6 (#1339211).
   - Allow double quote to be used in MOTD (#1276959).
+  - Prevent right_frame to be set to '//www.example.com'.
 
 Version 1.5.0 - 2 February 2004
 -------------------------------

diff --git a/src/webmail.php b/src/webmail.php
index a4ea43f7acbe01eb0582d65fced09162a7ce55d9..36eb29a957d7803ec6ee4d24d50b15f911b9f30a 100644 (file)
--- a/src/webmail.php
+++ b/src/webmail.php
@@ -140,9 +140,12 @@ else {
  *
  * This was done to create a pure HTML way of refreshing the folder list since
  * we would like to use as little Javascript as possible.
+ *
+ * The test for // should catch any attempt to include off-site webpages into
+ * our frameset.
  */
 
-if (empty($right_frame) || (strpos(urldecode($right_frame), '://'))) {
+if (empty($right_frame) || (strpos(urldecode($right_frame), '//') !== false)) {
     $right_frame = '';
 }
 
@@ -182,4 +185,4 @@ echo $output;
 
 ?>
 </frameset>
-</html>
\ No newline at end of file
+</html>