diff options
| author | thomascube <thomas@roundcube.net> | 2007-02-16 19:35:03 +0000 |
|---|---|---|
| committer | thomascube <thomas@roundcube.net> | 2007-02-16 19:35:03 +0000 |
| commit | b3ce7915610a6d272cc38ecd2a8b61e04ee4aeae (patch) | |
| tree | 19456d201c65ccd4a305817a9ffbd0f477f11d49 /program/steps/mail | |
| parent | 1012ea3946d7fb9c2b8d9598704d6ba64e8db218 (diff) | |
Better input checking on GET and POST vars
Diffstat (limited to 'program/steps/mail')
| -rw-r--r-- | program/steps/mail/folders.inc | 8 | ||||
| -rw-r--r-- | program/steps/mail/func.inc | 10 | ||||
| -rw-r--r-- | program/steps/mail/list.inc | 4 | ||||
| -rw-r--r-- | program/steps/mail/mark.inc | 6 | ||||
| -rw-r--r-- | program/steps/mail/move_del.inc | 19 | ||||
| -rw-r--r-- | program/steps/mail/show.inc | 2 |
6 files changed, 24 insertions, 25 deletions
diff --git a/program/steps/mail/folders.inc b/program/steps/mail/folders.inc index 2d160325a..1b7007c39 100644 --- a/program/steps/mail/folders.inc +++ b/program/steps/mail/folders.inc @@ -25,10 +25,10 @@ $mbox_name = $IMAP->get_mailbox_name(); // send EXPUNGE command if ($_action=='expunge') { - $success = $IMAP->expunge($_GET['_mbox']); + $success = $IMAP->expunge(get_input_value('_mbox', RCUBE_INPUT_GET)); // reload message list if current mailbox - if ($success && $_GET['_reload']) + if ($success && !empty($_GET['_reload'])) { rcube_remote_response('this.message_list.clear();', TRUE); $_action = 'list'; @@ -41,9 +41,9 @@ if ($_action=='expunge') // clear mailbox else if ($_action=='purge') { - $success = $IMAP->clear_mailbox($_GET['_mbox']); + $success = $IMAP->clear_mailbox(get_input_value('_mbox', RCUBE_INPUT_GET)); - if ($success && $_GET['_reload']) + if ($success && !empty($_GET['_reload'])) { $commands = "this.message_list.clear();\n"; $commands .= "this.set_env('messagecount', 0);\n"; diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 037e83f29..ec257b69b 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -30,16 +30,16 @@ if (empty($_SESSION['mbox'])){ } // set imap properties and session vars -if (strlen($mbox = get_input_value('_mbox', RCUBE_INPUT_GET))) +if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GPC)) { $IMAP->set_mailbox($mbox); $_SESSION['mbox'] = $mbox; } -if (strlen($_GET['_page'])) +if (!empty($_GET['_page'])) { - $IMAP->set_page($_GET['_page']); - $_SESSION['page'] = $_GET['_page']; + $IMAP->set_page((int)$_GET['_page']); + $_SESSION['page'] = (int)$_GET['_page']; } // set mailbox to INBOX if not set @@ -59,7 +59,7 @@ if (!empty($_GET['_search']) && isset($_SESSION['search'][$_GET['_search']])) // define url for getting message parts if (strlen($_GET['_uid'])) - $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, $IMAP->get_mailbox_name(), $_GET['_uid']); + $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, $IMAP->get_mailbox_name(), get_input_value('_uid', RCUBE_INPUT_GET)); // set current mailbox in client environment diff --git a/program/steps/mail/list.inc b/program/steps/mail/list.inc index 9e3b38d57..6e0637441 100644 --- a/program/steps/mail/list.inc +++ b/program/steps/mail/list.inc @@ -22,10 +22,8 @@ $REMOTE_REQUEST = TRUE; $OUTPUT_TYPE = 'js'; -$sort = isset($_GET['_sort']) ? $_GET['_sort'] : false; - // is there a sort type for this request? -if ($sort) +if ($sort = get_input_value('_sort', RCUBE_INPUT_GET)) { // yes, so set the sort vars list($sort_col, $sort_order) = explode('_', $sort); diff --git a/program/steps/mail/mark.inc b/program/steps/mail/mark.inc index e6e06f976..780bf5c6e 100644 --- a/program/steps/mail/mark.inc +++ b/program/steps/mail/mark.inc @@ -25,10 +25,10 @@ $a_flags_map = array('undelete' => 'UNDELETED', 'read' => 'SEEN', 'unread' => 'UNSEEN'); -if ($_GET['_uid'] && $_GET['_flag']) +if (($uids = get_input_value('_uid', RCUBE_INPUT_GET)) && ($flag = get_input_value('_flag', RCUBE_INPUT_GET))) { - $flag = $a_flags_map[$_GET['_flag']] ? $a_flags_map[$_GET['_flag']] : strtoupper($_GET['_flag']); - $marked = $IMAP->set_flag($_GET['_uid'], $flag); + $flag = $a_flags_map[$flag] ? $a_flags_map[$flag] : strtoupper($flag); + $marked = $IMAP->set_flag($uids, $flag); if ($marked != -1) { $mbox_name = $IMAP->get_mailbox_name(); diff --git a/program/steps/mail/move_del.inc b/program/steps/mail/move_del.inc index b0079f75f..8d31e3aa5 100644 --- a/program/steps/mail/move_del.inc +++ b/program/steps/mail/move_del.inc @@ -22,10 +22,11 @@ $REMOTE_REQUEST = TRUE; // move messages -if ($_action=='moveto' && $_GET['_uid'] && $_GET['_target_mbox']) +if ($_action=='moveto' && !empty($_GET['_uid']) && !empty($_GET['_target_mbox'])) { - $count = sizeof(explode(',', $_GET['_uid'])); - $moved = $IMAP->move_message($_GET['_uid'], $_GET['_target_mbox'], $_GET['_mbox']); + $count = sizeof(explode(',', ($uids = get_input_value('_uid', RCUBE_INPUT_GET)))); + $target = get_input_value('_target_mbox', RCUBE_INPUT_GET); + $moved = $IMAP->move_message($uids, $target, get_input_value('_mbox', RCUBE_INPUT_GET)); if (!$moved) { @@ -38,10 +39,10 @@ if ($_action=='moveto' && $_GET['_uid'] && $_GET['_target_mbox']) } // delete messages -else if ($_action=='delete' && $_GET['_uid']) +else if ($_action=='delete' && !empty($_GET['_uid'])) { - $count = sizeof(explode(',', $_GET['_uid'])); - $del = $IMAP->delete_message($_GET['_uid'], $_GET['_mbox']); + $count = sizeof(explode(',', ($uids = get_input_value('_uid', RCUBE_INPUT_GET)))); + $del = $IMAP->delete_message($uids, get_input_value('_mbox', RCUBE_INPUT_GET)); if (!$del) { @@ -60,7 +61,7 @@ else } // refresh saved seach set after moving some messages -if (($search_request = $_GET['_search']) && $IMAP->search_set) +if (($search_request = get_input_value('_search', RCUBE_INPUT_GPC)) && $IMAP->search_set) $_SESSION['search'][$search_request] = $IMAP->refresh_search(); @@ -75,8 +76,8 @@ $commands .= sprintf("this.set_env('pagecount', %d);\n", $pages); $mbox = $IMAP->get_mailbox_name(); $commands .= sprintf("this.set_unread_count('%s', %d);\n", $mbox, $IMAP->messagecount($mbox, 'UNSEEN')); -if ($_action=='moveto') - $commands .= sprintf("this.set_unread_count('%s', %d);\n", $_GET['_target_mbox'], $IMAP->messagecount($_GET['_target_mbox'], 'UNSEEN')); +if ($_action=='moveto' && $target) + $commands .= sprintf("this.set_unread_count('%s', %d);\n", $target, $IMAP->messagecount($target, 'UNSEEN')); $commands .= sprintf("this.set_quota('%s');\n", $IMAP->get_quota()); diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index b1fa7cfb7..841a41b36 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -64,7 +64,7 @@ if ($_GET['_uid']) // mark message as read if (!$MESSAGE['headers']->seen && $_action != 'preview') - $IMAP->set_flag($_GET['_uid'], 'SEEN'); + $IMAP->set_flag($MESSAGE['UID'], 'SEEN'); // give message uid to the client $javascript = sprintf("%s.set_env('uid', '%s');\n", $JS_OBJECT_NAME, $MESSAGE['UID']); |