From: kink Date: Sun, 28 Mar 2004 14:38:13 +0000 (+0000) Subject: Make compose.php XSS-safe by encoding all untrusted data. I'm using the new X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=commitdiff_plain;h=df96b37ae22acc31a2ad6b09379e6b60866ee4f4 Make compose.php XSS-safe by encoding all untrusted data. I'm using the new forms.php functions here. I think all possible XSS in compose.php is covered now. Will be backported to stable within a couple of days if no problems arise. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@6913 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- diff --git a/src/compose.php b/src/compose.php index 4d315296..5e094f27 100644 --- a/src/compose.php +++ b/src/compose.php @@ -32,6 +32,7 @@ require_once(SM_PATH . 'functions/display_messages.php'); require_once(SM_PATH . 'class/deliver/Deliver.class.php'); require_once(SM_PATH . 'functions/addressbook.php'); require_once(SM_PATH . 'functions/identity.php'); +require_once(SM_PATH . 'functions/forms.php'); /* --------------------- Get globals ------------------------------------- */ /** COOKIE VARS */ @@ -689,9 +690,9 @@ function newMail ($mailbox='', $passed_id='', $passed_ent_id='', $action='', $se case ('draft'): $use_signature = FALSE; $composeMessage->rfc822_header = $orig_header; - $send_to = decodeHeader($orig_header->getAddr_s('to'),false,true,true); - $send_to_cc = decodeHeader($orig_header->getAddr_s('cc'),false,true,true); - $send_to_bcc = decodeHeader($orig_header->getAddr_s('bcc'),false,true,true); + $send_to = decodeHeader($orig_header->getAddr_s('to'),false,false,true); + $send_to_cc = decodeHeader($orig_header->getAddr_s('cc'),false,false,true); + $send_to_bcc = decodeHeader($orig_header->getAddr_s('bcc'),false,false,true); $send_from = $orig_header->getAddr_s('from'); $send_from_parts = new AddressStructure(); $send_from_parts = $orig_header->parseAddress($send_from); @@ -705,7 +706,7 @@ function newMail ($mailbox='', $passed_id='', $passed_ent_id='', $action='', $se } } } - $subject = decodeHeader($orig_header->subject,false,true,true); + $subject = decodeHeader($orig_header->subject,false,false,true); // /* remember the references and in-reply-to headers in case of an reply */ $composeMessage->rfc822_header->more_headers['References'] = $orig_header->references; $composeMessage->rfc822_header->more_headers['In-Reply-To'] = $orig_header->in_reply_to; @@ -723,10 +724,10 @@ function newMail ($mailbox='', $passed_id='', $passed_ent_id='', $action='', $se $composeMessage = getAttachments($message, $composeMessage, $passed_id, $entities, $imapConnection); break; case ('edit_as_new'): - $send_to = decodeHeader($orig_header->getAddr_s('to'),false,true,true); - $send_to_cc = decodeHeader($orig_header->getAddr_s('cc'),false,true,true); - $send_to_bcc = decodeHeader($orig_header->getAddr_s('bcc'),false,true,true); - $subject = decodeHeader($orig_header->subject,false,true,true); + $send_to = decodeHeader($orig_header->getAddr_s('to'),false,false,true); + $send_to_cc = decodeHeader($orig_header->getAddr_s('cc'),false,false,true); + $send_to_bcc = decodeHeader($orig_header->getAddr_s('bcc'),false,false,true); + $subject = decodeHeader($orig_header->subject,false,false,true); $mailprio = $orig_header->priority; $orig_from = ''; $composeMessage = getAttachments($message, $composeMessage, $passed_id, $entities, $imapConnection); @@ -734,14 +735,14 @@ function newMail ($mailbox='', $passed_id='', $passed_ent_id='', $action='', $se break; case ('forward'): $send_to = ''; - $subject = getforwardSubject(decodeHeader($orig_header->subject,false,true,true)); + $subject = getforwardSubject(decodeHeader($orig_header->subject,false,false,true)); $body = getforwardHeader($orig_header) . $body; sqUnWordWrap($body); $composeMessage = getAttachments($message, $composeMessage, $passed_id, $entities, $imapConnection); $body = "\n" . $body; break; case ('forward_as_attachment'): - $subject = getforwardSubject(decodeHeader($orig_header->subject,false,true,true)); + $subject = getforwardSubject(decodeHeader($orig_header->subject,false,false,true)); $composeMessage = getMessage_RFC822_Attachment($message, $composeMessage, $passed_id, $passed_ent_id, $imapConnection); $body = ''; break; @@ -750,7 +751,7 @@ function newMail ($mailbox='', $passed_id='', $passed_ent_id='', $action='', $se $send_to = $orig_header->getAddr_s('mail_followup_to'); } else { $send_to_cc = replyAllString($orig_header); - $send_to_cc = decodeHeader($send_to_cc,false,true,true); + $send_to_cc = decodeHeader($send_to_cc,false,false,true); } case ('reply'): // skip this if send_to was already set right above here @@ -764,8 +765,8 @@ function newMail ($mailbox='', $passed_id='', $passed_ent_id='', $action='', $se $send_to = $orig_header->getAddr_s('from'); } } - $send_to = decodeHeader($send_to,false,true,true); - $subject = decodeHeader($orig_header->subject,false,true,true); + $send_to = decodeHeader($send_to,false,false,true); + $subject = decodeHeader($orig_header->subject,false,false,true); $subject = str_replace('"', "'", $subject); $subject = trim($subject); if (substr(strtolower($subject), 0, 3) != 're:') { @@ -913,7 +914,6 @@ function showInputForm ($session, $values=false) { $username, $compose_messages, $composesession, $default_charset; $composeMessage = $compose_messages[$session]; - if ($values) { $send_to = $values['send_to']; $send_to_cc = $values['send_to_cc']; @@ -923,9 +923,9 @@ function showInputForm ($session, $values=false) { $body = $values['body']; $identity = (int) $values['identity']; } else { - $send_to = decodeHeader($send_to); - $send_to_cc = decodeHeader($send_to_cc); - $send_to_bcc = decodeHeader($send_to_bcc); + $send_to = decodeHeader($send_to, true, false); + $send_to_cc = decodeHeader($send_to_cc, true, false); + $send_to_bcc = decodeHeader($send_to_bcc, true, false); } if ($use_javascript_addr_book) { @@ -945,20 +945,20 @@ function showInputForm ($session, $values=false) { echo ">\n"; - echo '\n"; + echo addHidden('startMessage', $startMessage); if ($action == 'draft') { - echo '\n"; + echo addHidden('delete_draft', $passed_id); } if (isset($delete_draft)) { - echo '\n"; + echo addHidden('delete_draft', $delete_draft); } if (isset($session)) { - echo '\n"; + echo addHidden('session', $session); } if (isset($passed_id)) { - echo '\n"; + echo addHidden('passed_id', $passed_id); } if ($saved_draft == 'yes') { @@ -978,54 +978,47 @@ function showInputForm ($session, $values=false) { /* display select list for identities */ if (count($idents) > 1) { + $ident_list = array(); + foreach($idents as $id => $data) { + $ident_list[$id] = + $data['full_name'].' <'.$data['email_address'].'>'; + } echo ' ' . "\n" . html_tag( 'td', '', 'right', $color[4], 'width="10%"' ) . _("From:") . '' . "\n" . html_tag( 'td', '', 'left', $color[4], 'width="90%"' ) . - ' ' . "\n" . - ' ' . "\n" . + echo ' ' . "\n" . ' ' . "\n"; } echo ' ' . "\n" . html_tag( 'td', '', 'right', $color[4], 'width="10%"' ) . _("To:") . '' . "\n" . html_tag( 'td', '', 'left', $color[4], 'width="90%"' ) . - '
' . "\n" . + addInput('send_to', $send_to, 60). '
' . "\n" . ' ' . "\n" . ' ' . "\n" . ' ' . "\n" . html_tag( 'td', '', 'right', $color[4] ) . _("CC:") . '' . "\n" . html_tag( 'td', '', 'left', $color[4] ) . - '
' . "\n" . + addInput('send_to_cc', $send_to_cc, 60). '
' . "\n" . ' ' . "\n" . ' ' . "\n" . ' ' . "\n" . html_tag( 'td', '', 'right', $color[4] ) . _("BCC:") . '' . "\n" . html_tag( 'td', '', 'left', $color[4] ) . - '
' . "\n" . + addInput('send_to_bcc', $send_to_bcc, 60).'
' . "\n" . ' ' . "\n" . ' ' . "\n" . ' ' . "\n" . html_tag( 'td', '', 'right', $color[4] ) . _("Subject:") . '' . "\n" . html_tag( 'td', '', 'left', $color[4] ) . "\n"; - echo ' ' . "\n" . + echo ' '.addInput('subject', $subject, 60). ' ' . "\n" . ' ' . "\n\n"; @@ -1037,14 +1030,14 @@ function showInputForm ($session, $values=false) { if ($compose_new_win == '1') { echo ' ' . "\n" . ' ' . "\n" . - '
' . "\n" . ' ' . "\n" . @@ -1107,7 +1100,7 @@ function showInputForm ($session, $values=false) { } else { $maxsize = ''; } - echo ''; + echo addHidden('MAX_FILE_SIZE', min( $sizes )); echo ' ' . "\n" . ' ' . "\n" . ' mime_header->type1; $s_a[] = '
\n" . $attached_filename . + '" border="0">
'. + addCheckBox('delete[]', $key). + "\n" . $attached_filename . '- ' . $type . '('. show_readable_size( filesize( $attached_file ) ) . ')
'."\n"; } @@ -1166,19 +1160,18 @@ function showInputForm ($session, $values=false) { } echo '' . "\n" . - '\n" . - '\n" . - '\n"; + addHidden('username', $username). + addHidden('smaction', $action). + addHidden('mailbox', $mailbox); /* store the complete ComposeMessages array in a hidden input value so we can restore them in case of a session timeout. */ sqgetGlobalVar('QUERY_STRING', $queryString, SQ_SERVER); - echo '\n"; - echo '\n"; - echo '\n"; - echo ''; + echo addHidden('restoremessages', serialize($compose_messages)). + addHidden('composesession', $composesession). + addHidden('querystring', $queryString). + "\n"; if (!(bool) ini_get('file_uploads')) { /* File uploads are off, so we didn't show that part of the form. To avoid bogus bug reports, tell the user why. */ @@ -1202,22 +1195,20 @@ function showComposeButtonRow() { ' ' . "\n"; if ($default_use_priority) { if(!isset($mailprio)) { - $mailprio = "3"; - } - echo ' ' . _("Priority") .': ' . "\n"; + $mailprio = '3'; + } + echo ' ' . _("Priority") . + addSelect('mailprio', array( + '1' => _("High"), + '3' => _("Normal"), + '5' => _("Low") ), $mailprio, TRUE); } $mdn_user_support=getPref($data_dir, $username, 'mdn_user_support',$default_use_mdn); if ($default_use_mdn) { if ($mdn_user_support) { echo ' ' . _("Receipt") .': '. - ''. _("On Read"). - ' '. _("On Delivery"); + addCheckBox('request_mdn', $request_mdn == '1', '1'). _("On Read"). + addCheckBox('request_dr', $request_dr == '1', '1'). _("On Delivery"); } }