From a6d3eff675f7ace3d69f6d9788489ca930333315 Mon Sep 17 00:00:00 2001 From: stekkel Date: Wed, 15 Jun 2005 23:07:09 +0000 Subject: [PATCH] XSS fixes git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@9616 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- plugins/calendar/calendar.php | 12 +++-- plugins/calendar/day.php | 18 ++++--- plugins/calendar/event_create.php | 45 ++++++++++------ plugins/calendar/event_edit.php | 54 +++++++++++-------- plugins/listcommands/mailout.php | 20 ++++--- plugins/newmail/newmail.php | 1 + plugins/spamcop/setup.php | 4 +- plugins/squirrelspell/modules/lang_change.mod | 2 +- src/compose.php | 10 ++-- src/right_main.php | 6 ++- src/search.php | 2 +- 11 files changed, 112 insertions(+), 62 deletions(-) diff --git a/plugins/calendar/calendar.php b/plugins/calendar/calendar.php index fe30b58c..b87d6943 100644 --- a/plugins/calendar/calendar.php +++ b/plugins/calendar/calendar.php @@ -34,16 +34,20 @@ require_once(SM_PATH . 'functions/html.php'); /* get globals */ -if (isset($_GET['month'])) { +// undo rg = on effects +if (isset($month)) unset($month); +if (isset($year)) unset($year); + +if (isset($_GET['month']) && is_numeric($_GET['month'])) { $month = $_GET['month']; } -if (isset($_GET['year'])) { +if (isset($_GET['year']) && is_numeric($_GET['year'])) { $year = $_GET['year']; } -if (isset($_POST['year'])) { +if (isset($_POST['year']) && is_numeric($_POST['year'])) { $year = $_POST['year']; } -if (isset($_POST['month'])) { +if (isset($_POST['month']) && is_numeric($_POST['month'])) { $month = $_POST['month']; } /* got 'em */ diff --git a/plugins/calendar/day.php b/plugins/calendar/day.php index 72b2d1d8..d30676d2 100644 --- a/plugins/calendar/day.php +++ b/plugins/calendar/day.php @@ -32,22 +32,28 @@ require_once(SM_PATH . 'include/load_prefs.php'); require_once(SM_PATH . 'functions/html.php'); /* get globals */ -if (isset($_GET['year'])) { + +// undo rg = on effects +if (isset($month)) unset($month); +if (isset($year)) unset($year); +if (isset($day)) unset($day); + +if (isset($_GET['year']) && is_numeric($_GET['year'])) { $year = $_GET['year']; } -elseif (isset($_POST['year'])) { +elseif (isset($_POST['year']) && is_numeric($_POST['year'])) { $year = $_POST['year']; } -if (isset($_GET['month'])) { +if (isset($_GET['month']) && is_numeric($_GET['month'])) { $month = $_GET['month']; } -elseif (isset($_POST['month'])) { +elseif (isset($_POST['month']) && is_numeric($_POST['month'])) { $month = $_POST['month']; } -if (isset($_GET['day'])) { +if (isset($_GET['day']) && is_numeric($_GET['day'])) { $day = $_GET['day']; } -elseif (isset($_POST['day'])) { +elseif (isset($_POST['day']) && is_numeric($_POST['day'])) { $day = $_POST['day']; } diff --git a/plugins/calendar/event_create.php b/plugins/calendar/event_create.php index 19e4e880..febd8375 100644 --- a/plugins/calendar/event_create.php +++ b/plugins/calendar/event_create.php @@ -35,40 +35,53 @@ require_once(SM_PATH . 'functions/html.php'); /* get globals */ -if (isset($_POST['year'])) { - $year = $_POST['year']; -} -elseif (isset($_GET['year'])) { +// undo rg = on effects +if (isset($month)) unset($month); +if (isset($year)) unset($year); +if (isset($day)) unset($day); +if (isset($hour)) unset($hour); +if (isset($minute)) unset($minute); +if (isset($event_hour)) unset($event_hour); +if (isset($event_minute)) unset($event_minute); +if (isset($event_length)) unset($event_length); +if (isset($event_priority)) unset($event_priority); + + +if (isset($_GET['year']) && is_numeric($_GET['year'])) { $year = $_GET['year']; } -if (isset($_POST['month'])) { - $month = $_POST['month']; +elseif (isset($_POST['year']) && is_numeric($_POST['year'])) { + $year = $_POST['year']; } -elseif (isset($_GET['month'])) { +if (isset($_GET['month']) && is_numeric($_GET['month'])) { $month = $_GET['month']; } -if (isset($_POST['day'])) { - $day = $_POST['day']; +elseif (isset($_POST['month']) && is_numeric($_POST['month'])) { + $month = $_POST['month']; } -elseif (isset($_GET['day'])) { +if (isset($_GET['day']) && is_numeric($_GET['day'])) { $day = $_GET['day']; } -if (isset($_POST['hour'])) { +elseif (isset($_POST['day']) && is_numeric($_POST['day'])) { + $day = $_POST['day']; +} + +if (isset($_POST['hour']) && is_numeric($_POST['hour'])) { $hour = $_POST['hour']; } -elseif (isset($_GET['hour'])) { +elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) { $hour = $_GET['hour']; } -if (isset($_POST['event_hour'])) { +if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) { $event_hour = $_POST['event_hour']; } -if (isset($_POST['event_minute'])) { +if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) { $event_minute = $_POST['event_minute']; } -if (isset($_POST['event_length'])) { +if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) { $event_length = $_POST['event_length']; } -if (isset($_POST['event_priority'])) { +if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) { $event_priority = $_POST['event_priority']; } if (isset($_POST['event_title'])) { diff --git a/plugins/calendar/event_edit.php b/plugins/calendar/event_edit.php index c937e9ae..8a839757 100644 --- a/plugins/calendar/event_edit.php +++ b/plugins/calendar/event_edit.php @@ -34,25 +34,40 @@ require_once(SM_PATH . 'functions/html.php'); /* get globals */ +// undo rg = on effects +if (isset($month)) unset($month); +if (isset($year)) unset($year); +if (isset($day)) unset($day); +if (isset($hour)) unset($hour); +if (isset($minute)) unset($minute); +if (isset($event_year)) unset($event_year); +if (isset($event_month)) unset($event_month); +if (isset($event_day)) unset($event_day); +if (isset($event_hour)) unset($event_hour); +if (isset($event_minute)) unset($event_minute); +if (isset($event_length)) unset($event_length); +if (isset($event_priority)) unset($event_priority); + if (isset($_POST['updated'])) { $updated = $_POST['updated']; } -if (isset($_POST['event_year'])) { + +if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) { $event_year = $_POST['event_year']; } -if (isset($_POST['event_month'])) { +if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) { $event_month = $_POST['event_month']; } -if (isset($_POST['event_day'])) { +if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) { $event_day = $_POST['event_day']; } -if (isset($_POST['event_hour'])) { +if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) { $event_hour = $_POST['event_hour']; } -if (isset($_POST['event_minute'])) { +if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) { $event_minute = $_POST['event_minute']; } -if (isset($_POST['event_length'])) { +if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) { $event_length = $_POST['event_length']; } if (isset($_POST['event_title'])) { @@ -64,40 +79,37 @@ if (isset($_POST['event_text'])) { if (isset($_POST['send'])) { $send = $_POST['send']; } -if (isset($_POST['event_priority'])) { +if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) { $event_priority = $_POST['event_priority']; } if (isset($_POST['confirmed'])) { $confirmed = $_POST['confirmed']; } -if (isset($_POST['year'])) { + +if (isset($_POST['year']) && is_numeric($_POST['year'])) { $year = $_POST['year']; -} -elseif (isset($_GET['year'])) { +} elseif (isset($_GET['year']) && is_numeric($_GET['year'])) { $year = $_GET['year']; } -if (isset($_POST['month'])) { +if (isset($_POST['month']) && is_numeric($_POST['month'])) { $month = $_POST['month']; -} -elseif (isset($_GET['month'])) { +} elseif (isset($_GET['month']) && is_numeric($_GET['month'])) { $month = $_GET['month']; } -if (isset($_POST['day'])) { +if (isset($_POST['day']) && is_numeric($_POST['day'])) { $day = $_POST['day']; -} -elseif (isset($_GET['day'])) { +} elseif (isset($_GET['day']) && is_numeric($_GET['day'])) { $day = $_GET['day']; } -if (isset($_POST['hour'])) { +if (isset($_POST['hour']) && is_numeric($_POST['hour'])) { $hour = $_POST['hour']; -} -elseif (isset($_GET['hour'])) { +} elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) { $hour = $_GET['hour']; } -if (isset($_POST['minute'])) { +if (isset($_POST['minute']) && is_numeric($_POST['minute'])) { $minute = $_POST['minute']; } -elseif (isset($_GET['minute'])) { +elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) { $minute = $_GET['minute']; } /* got 'em */ diff --git a/plugins/listcommands/mailout.php b/plugins/listcommands/mailout.php index c85d2680..58dfb7ae 100644 --- a/plugins/listcommands/mailout.php +++ b/plugins/listcommands/mailout.php @@ -33,14 +33,6 @@ sqgetGlobalVar('action', $action, SQ_GET); displayPageHeader($color, $mailbox); $fieldsdescr = listcommands_fieldsdescr(); -echo html_tag('p', '', 'left' ) . - html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" . - html_tag( 'tr', - html_tag( 'th', _("Mailinglist") . ': ' . $fieldsdescr[$action], '', $color[9] ) - ) . - html_tag( 'tr' ) . - html_tag( 'td', '', 'left' ); - switch ( $action ) { case 'help': $out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below."); @@ -50,8 +42,20 @@ switch ( $action ) { break; case 'unsubscribe': $out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below."); + break; + default: + error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)), $color); + exit; } +echo html_tag('p', '', 'left' ) . + html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" . + html_tag( 'tr', + html_tag( 'th', _("Mailinglist") . ': ' . $fieldsdescr[$action], '', $color[9] ) + ) . + html_tag( 'tr' ) . + html_tag( 'td', '', 'left' ); + printf($out_string, '"' . htmlspecialchars($send_to) . '"'); echo addForm(SM_PATH . 'src/compose.php', 'post'); diff --git a/plugins/newmail/newmail.php b/plugins/newmail/newmail.php index 3c1d65ec..82a95a76 100644 --- a/plugins/newmail/newmail.php +++ b/plugins/newmail/newmail.php @@ -19,6 +19,7 @@ define('SM_PATH','../../'); require_once(SM_PATH . 'include/validate.php'); sqGetGlobalVar('numnew', $numnew, SQ_GET); +$numnew = (int)$numnew; displayHtmlHeader( _("New Mail"), '', FALSE ); diff --git a/plugins/spamcop/setup.php b/plugins/spamcop/setup.php index 220f2748..d73d72cc 100755 --- a/plugins/spamcop/setup.php +++ b/plugins/spamcop/setup.php @@ -83,7 +83,9 @@ function spamcop_show_link() { sqgetGlobalVar('passed_id', $passed_id, SQ_FORM); sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM); sqgetGlobalVar('mailbox', $mailbox, SQ_FORM); - sqgetGlobalVar('startMessage', $startMessage, SQ_FORM); + if ( sqgetGlobalVar('startMessage', $startMessage, SQ_FORM) ) { + $startMessage = (int)$startMessage; + } /* END GLOBALS */ // catch unset passed_ent_id diff --git a/plugins/squirrelspell/modules/lang_change.mod b/plugins/squirrelspell/modules/lang_change.mod index 0b93a61a..cf738e63 100644 --- a/plugins/squirrelspell/modules/lang_change.mod +++ b/plugins/squirrelspell/modules/lang_change.mod @@ -39,7 +39,7 @@ foreach ($use_langs as $lang) { if (sizeof($new_langs)>1) { $dsp_string = ''; foreach( $new_langs as $a) { - $dsp_string .= _(trim($a)) . ', '; + $dsp_string .= _(htmlspecialchars(trim($a))) . ', '; } // remove last comma and space $dsp_string = substr( $dsp_string, 0, -2 ); diff --git a/src/compose.php b/src/compose.php index eab20f32..dd8c58ac 100644 --- a/src/compose.php +++ b/src/compose.php @@ -77,7 +77,11 @@ sqgetGlobalVar('draft_id',$draft_id); sqgetGlobalVar('ent_num',$ent_num); sqgetGlobalVar('saved_draft',$saved_draft); sqgetGlobalVar('delete_draft',$delete_draft); -sqgetGlobalVar('startMessage',$startMessage); +if ( sqgetGlobalVar('startMessage',$startMessage) ) { + $startMessage = (int)$startMessage; +} else { + $startMessage = 1; +} /** POST VARS */ sqgetGlobalVar('sigappend', $sigappend, SQ_POST); @@ -388,7 +392,7 @@ if ($draft) { echo '

' . _("Return") . '
'; - } + } exit(); } else { if ( !isset($pageheader_sent) || !$pageheader_sent ) { @@ -399,7 +403,7 @@ if ($draft) { . '/right_main.php?mailbox=' . urlencode($draft_folder) . '&startMessage=1&note=' . urlencode($draft_message) .'">' . _("Return") . ''; - } + } exit(); } } diff --git a/src/right_main.php b/src/right_main.php index c8380e7d..d5285890 100644 --- a/src/right_main.php +++ b/src/right_main.php @@ -17,6 +17,7 @@ * Path for SquirrelMail required files. * @ignore */ +//xdebug_start_profiling(); define('SM_PATH','../'); /* SquirrelMail required files. */ @@ -292,7 +293,7 @@ if (isset($mail_sent) && $mail_sent == 'yes') { $note = _("Your Message has been sent."); } if (isset($note)) { - echo html_tag( 'div', '' . $note .'', 'center' ) . "
\n"; + echo html_tag( 'div', '' . htmlspecialchars($note) .'', 'center' ) . "
\n"; } if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) { @@ -373,5 +374,8 @@ echo ''; /* add the mailbox to the cache */ $mailbox_cache[$account.'_'.$aMailbox['NAME']] = $aMailbox; sqsession_register($mailbox_cache,'mailbox_cache'); +echo "
".__FILE__; +//xdebug_dump_function_profile(4); + ?> \ No newline at end of file diff --git a/src/search.php b/src/search.php index b08778f5..a5765d71 100644 --- a/src/search.php +++ b/src/search.php @@ -1387,7 +1387,7 @@ if (isset($aMailbox['FORWARD_SESSION'])) { } if (isset($note)) { - echo html_tag( 'div', '' . $note .'', 'center' ) . "
\n"; + echo html_tag( 'div', '' . htmlspecialchars($note) .'', 'center' ) . "
\n"; } -- 2.25.1