diff options
author | thomascube <thomas@roundcube.net> | 2006-11-22 11:42:37 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2006-11-22 11:42:37 +0000 |
commit | e34ae17809c3dff8ed870405ffed4e0077cb8512 (patch) | |
tree | ab8abe4cd31c0702cb60a2c550a8f650c07d4758 | |
parent | 0023c18291a077d983e457f07f59108338d17f8f (diff) |
Fixed XSS vulnerability (Bug #1484109)
-rw-r--r-- | index.php | 15 | ||||
-rw-r--r-- | program/include/main.inc | 8 |
2 files changed, 14 insertions, 9 deletions
@@ -2,7 +2,7 @@ /* +-----------------------------------------------------------------------+ | RoundCube Webmail IMAP Client | - | Version 0.1-20060907 | + | Version 0.1-20061122 | | | | Copyright (C) 2005-2006, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | @@ -40,7 +40,7 @@ */ -define('RCMAIL_VERSION', '0.1-20060907'); +define('RCMAIL_VERSION', '0.1-20061122'); // define global vars $CHARSET = 'UTF-8'; @@ -90,11 +90,12 @@ require_once('PEAR.php'); // catch some url/post parameters -$_task = get_input_value('_task', RCUBE_INPUT_GPC); -$_action = get_input_value('_action', RCUBE_INPUT_GPC); +$_task = strip_quotes(get_input_value('_task', RCUBE_INPUT_GPC)); +$_action = strip_quotes(get_input_value('_action', RCUBE_INPUT_GPC)); $_framed = (!empty($_GET['_framed']) || !empty($_POST['_framed'])); -if (empty($_task)) +// use main task if empty or invalid value +if (empty($_task) || !in_array($_task, $MAIN_TASKS)) $_task = 'mail'; if (!empty($_GET['_remote'])) @@ -372,9 +373,7 @@ if ($_task=='settings') // parse main template -// only allow these templates to be included -if (in_array($_task, $MAIN_TASKS)) - parse_template($_task); +parse_template($_task); // if we arrive here, something went wrong diff --git a/program/include/main.inc b/program/include/main.inc index da449c64c..55336fd30 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -1063,7 +1063,13 @@ function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL) return $value; } - +/** + * Remove single and double quotes from given string + */ +function strip_quotes($str) +{ + return preg_replace('/[\'"]/', '', $str); +} // ************** template parsing and gui functions ************** |