Sanitize integer option fields - only digits allowed
authorpdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Thu, 29 Dec 2011 06:56:03 +0000 (06:56 +0000)
committerpdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Thu, 29 Dec 2011 06:56:03 +0000 (06:56 +0000)
git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14247 7612ce4b-ef26-0410-bec9-ea0150e637f0

functions/options.php

index a09f3a2e41840e2ec3917780c912b3ab21303f37..aef6e97420ec50c6de4b1e8870bb2cab2583c3da 100644 (file)
@@ -894,6 +894,15 @@ function save_option($option) {
           && empty($option->new_value)) 
         setPref($data_dir, $username, $option->name, SMPREF_OFF);
 
+    // For integer fields, make sure we only have digits...
+    // We'll be nice and instead of just converting to an integer,
+    // we'll physically remove each non-digit in the string.
+    //
+    else if ($option->type == SMOPT_TYPE_INTEGER) {
+        $option->new_value = preg_replace('/[^0-9]/', '', $option->new_value);
+        setPref($data_dir, $username, $option->name, $option->new_value);
+    }
+
     else
         setPref($data_dir, $username, $option->name, $option->new_value);