summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2005-09-29 20:30:10 +0000
committerthomascube <thomas@roundcube.net>2005-09-29 20:30:10 +0000
commit539cd47824ec6b03b44f9f7c5af8a1e60df0458b (patch)
treeec90fc2acd6dab9ad71bc19a51ee9d989a4e3ef5
parent30233b8dfb7fe5070dfa11b3e6d2015fb50aa769 (diff)
Fix for URL injection vulnerability (Bug #1307966)
-rw-r--r--index.php14
-rw-r--r--program/steps/error.inc2
2 files changed, 14 insertions, 2 deletions
diff --git a/index.php b/index.php
index 19623aa30..bdccd379f 100644
--- a/index.php
+++ b/index.php
@@ -267,7 +267,19 @@ if ($_task=='settings')
}
+// only allow these templates to be included
+$valid_tasks = array('mail','settings','addressbook');
+
// parse main template
-parse_template($_task);
+if (in_array($_task, $valid_tasks))
+ parse_template($_task);
+
+// if we arrive here, something went wrong
+raise_error(array('code' => 404,
+ 'type' => 'php',
+ 'line' => __LINE__,
+ 'file' => __FILE__,
+ 'message' => "Invalid request"), TRUE, TRUE);
+
?> \ No newline at end of file
diff --git a/program/steps/error.inc b/program/steps/error.inc
index efe30407e..9e5757d7b 100644
--- a/program/steps/error.inc
+++ b/program/steps/error.inc
@@ -52,7 +52,7 @@ else if ($ERROR_CODE==401)
else if ($ERROR_CODE==404)
{
$__error_title = "REQUEST FAILED/FILE NOT FOUND";
- $request_url = $GLOBALS['HTTP_HOST'].$GLOBALS['REQUEST_URI'];
+ $request_url = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$__error_text = <<<EOF
The requested page was not found!<br />
Please contact your server-administrator.