From 0120b304ff2bb5dd9e5de837ed3632d924b5e8aa Mon Sep 17 00:00:00 2001 From: philippe_mingo Date: Fri, 13 Sep 2002 23:57:51 +0000 Subject: [PATCH] 4) XSS in help.php: http://.net/webmail/src/help.php?chapter= Based on Jason's fix. Also include a nasty i18n bugfix git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@3665 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- src/help.php | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/src/help.php b/src/help.php index e9b3c316..88b92f19 100644 --- a/src/help.php +++ b/src/help.php @@ -41,6 +41,7 @@ $helpdir[8] = 'FAQ.hlp'; */ function get_info($doc, $pos) { + for ($n=$pos; $n < count($doc); $n++) { if (trim(strtolower($doc[$n])) == '' || trim(strtolower($doc[$n])) == '
') { @@ -70,18 +71,19 @@ function get_info($doc, $pos) { } if (isset($ary)) { $ary[3] = $n; - return $ary; } else { - $ary[0] = 'ERROR: Help files are not in the right format!'; - $ary[1] = 'ERROR: Help files are not in the right format!'; - $ary[2] = 'ERROR: Help files are not in the right format!'; - return $ary; + $ary[0] = _("ERROR: Help files are not in the right format!"); + $ary[1] = $ary[0]; + $ary[2] = $ary[0]; } + return( $ary ); } } - $ary[0] = 'ERROR: Help files are not in the right format!'; - $ary[1] = 'ERROR: Help files are not in the right format!'; - return $ary; + + $ary[0] = _("ERROR: Help files are not in the right format!"); + $ary[1] = $ary[0]; + + return( $ary ); } /**************[ END HELP FUNCTIONS ]******************/ @@ -163,9 +165,13 @@ if ($help_exists == true) { $chapter = 3; } else if ($context == 'search'){ $chapter = 8; + } else if ( isset( $_GET['chapter'] ) ) { + $chapter = intval( $_GET['chapter']); + } else { + $chapter = 0; } - if (!isset($chapter)) { + if ( $chapter == 0 || !isset( $helpdir[$chapter] ) ) { echo html_tag( 'table', '', 'center', '', 'cellpadding="0" cellspacing="0" border="0"' ); html_tag( 'tr' ) . html_tag( 'td' ) . -- 2.25.1