From: pdontthink Date: Thu, 4 Dec 2008 04:20:40 +0000 (+0000) Subject: Fix improperly quoted href link addresses; closes XSS exploit exlained at CVE-2008... X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=commitdiff_plain;h=cf088f55b6943a4db1d1bf5abe7904670186ce33 Fix improperly quoted href link addresses; closes XSS exploit exlained at CVE-2008-2379. Thanks to Secunia Research for reporting this issue. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13339 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- diff --git a/functions/mime.php b/functions/mime.php index ae3c7ac4..4447f17f 100644 --- a/functions/mime.php +++ b/functions/mime.php @@ -1944,6 +1944,8 @@ function sq_fix_url($attname, &$attvalue, $message, $id, $mailbox,$sQuote = '"') $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote; } } + } else { + $attvalue = $sQuote . $attvalue . $sQuote; } break; case 'outbind': @@ -1952,13 +1954,13 @@ function sq_fix_url($attname, &$attvalue, $message, $id, $mailbox,$sQuote = '"') * One day MS might actually make it match something useful, for now, falling * back to using cid2http, so we can grab the blank.png. */ - $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox); + $attvalue = $sQuote . sq_cid2http($message, $id, $attvalue, $mailbox) . $sQuote; break; case 'cid': /** * Turn cid: urls into http-friendly ones. */ - $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox); + $attvalue = $sQuote . sq_cid2http($message, $id, $attvalue, $mailbox) . $sQuote; break; default: $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;