summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2006-11-22 11:42:37 +0000
committerthomascube <thomas@roundcube.net>2006-11-22 11:42:37 +0000
commite34ae17809c3dff8ed870405ffed4e0077cb8512 (patch)
treeab8abe4cd31c0702cb60a2c550a8f650c07d4758
parent0023c18291a077d983e457f07f59108338d17f8f (diff)
Fixed XSS vulnerability (Bug #1484109)
-rw-r--r--index.php15
-rw-r--r--program/include/main.inc8
2 files changed, 14 insertions, 9 deletions
diff --git a/index.php b/index.php
index 4e9dee1c7..4bf9d9487 100644
--- a/index.php
+++ b/index.php
@@ -2,7 +2,7 @@
/*
+-----------------------------------------------------------------------+
| RoundCube Webmail IMAP Client |
- | Version 0.1-20060907 |
+ | Version 0.1-20061122 |
| |
| Copyright (C) 2005-2006, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL |
@@ -40,7 +40,7 @@
*/
-define('RCMAIL_VERSION', '0.1-20060907');
+define('RCMAIL_VERSION', '0.1-20061122');
// define global vars
$CHARSET = 'UTF-8';
@@ -90,11 +90,12 @@ require_once('PEAR.php');
// catch some url/post parameters
-$_task = get_input_value('_task', RCUBE_INPUT_GPC);
-$_action = get_input_value('_action', RCUBE_INPUT_GPC);
+$_task = strip_quotes(get_input_value('_task', RCUBE_INPUT_GPC));
+$_action = strip_quotes(get_input_value('_action', RCUBE_INPUT_GPC));
$_framed = (!empty($_GET['_framed']) || !empty($_POST['_framed']));
-if (empty($_task))
+// use main task if empty or invalid value
+if (empty($_task) || !in_array($_task, $MAIN_TASKS))
$_task = 'mail';
if (!empty($_GET['_remote']))
@@ -372,9 +373,7 @@ if ($_task=='settings')
// parse main template
-// only allow these templates to be included
-if (in_array($_task, $MAIN_TASKS))
- parse_template($_task);
+parse_template($_task);
// if we arrive here, something went wrong
diff --git a/program/include/main.inc b/program/include/main.inc
index da449c64c..55336fd30 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -1063,7 +1063,13 @@ function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL)
return $value;
}
-
+/**
+ * Remove single and double quotes from given string
+ */
+function strip_quotes($str)
+{
+ return preg_replace('/[\'"]/', '', $str);
+}
// ************** template parsing and gui functions **************