Fix improperly quoted href link addresses; closes XSS exploit exlained at CVE-2008...

author pdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>

Thu, 4 Dec 2008 04:20:40 +0000 (04:20 +0000)

committer pdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>

Thu, 4 Dec 2008 04:20:40 +0000 (04:20 +0000)
author pdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Thu, 4 Dec 2008 04:20:40 +0000 (04:20 +0000)
committer pdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Thu, 4 Dec 2008 04:20:40 +0000 (04:20 +0000)
diff --git a/functions/mime.php b/functions/mime.php

index ae3c7ac42e372c3e423455903633fef54c6ac8fa..4447f17f4597d1fdb6d4a38735fa07d1b70dd5d9 100644 (file)
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -1944,6 +1944,8 @@ function sq_fix_url($attname, &$attvalue, $message, $id, $mailbox,$sQuote = '"')
                                      $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
                                  }
                              }
                                      $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
                                  }
                              }
+                        } else {
+                            $attvalue = $sQuote . $attvalue . $sQuote;
                          }
                          break;
                      case 'outbind':
                          }
                          break;
                      case 'outbind':
@@ -1952,13 +1954,13 @@ function sq_fix_url($attname, &$attvalue, $message, $id, $mailbox,$sQuote = '"')
                           * One day MS might actually make it match something useful, for now, falling
                           * back to using cid2http, so we can grab the blank.png.
                           */
                           * One day MS might actually make it match something useful, for now, falling
                           * back to using cid2http, so we can grab the blank.png.
                           */
-                        $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
+                        $attvalue = $sQuote . sq_cid2http($message, $id, $attvalue, $mailbox) . $sQuote;
                          break;
                      case 'cid':
                          /**
                              * Turn cid: urls into http-friendly ones.
                              */
                          break;
                      case 'cid':
                          /**
                              * Turn cid: urls into http-friendly ones.
                              */
-                        $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
+                        $attvalue = $sQuote . sq_cid2http($message, $id, $attvalue, $mailbox) . $sQuote;
                          break;
                      default:
                          $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;
                          break;
                      default:
                          $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;
author	pdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
	Thu, 4 Dec 2008 04:20:40 +0000 (04:20 +0000)
committer	pdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
	Thu, 4 Dec 2008 04:20:40 +0000 (04:20 +0000)