diff options
author | thomascube <thomas@roundcube.net> | 2006-12-22 21:45:21 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2006-12-22 21:45:21 +0000 |
commit | ee883ad73d64639eb994a71e15b1a37c07ff3cb9 (patch) | |
tree | 2dd00a5976d0cb31a006f6489b9b9d3d0438abb3 /program | |
parent | 8af7757525b312b001bede8b044b83e993860878 (diff) |
Applied security patches by Kees Cook (Ubuntu) + little visual enhancements
Diffstat (limited to 'program')
-rw-r--r-- | program/blocked.gif | bin | 0 -> 118 bytes | |||
-rw-r--r-- | program/include/main.inc | 20 | ||||
-rw-r--r-- | program/steps/addressbook/delete.inc | 4 | ||||
-rw-r--r-- | program/steps/mail/func.inc | 7 | ||||
-rw-r--r-- | program/steps/mail/sendmail.inc | 2 | ||||
-rw-r--r-- | program/steps/settings/delete_identity.inc | 4 |
6 files changed, 30 insertions, 7 deletions
diff --git a/program/blocked.gif b/program/blocked.gif Binary files differnew file mode 100644 index 000000000..7a4aa9f34 --- /dev/null +++ b/program/blocked.gif diff --git a/program/include/main.inc b/program/include/main.inc index c57aa8a9f..a1c00d340 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -450,6 +450,26 @@ function rcmail_login($user, $pass, $host=NULL) if (!$host) $host = $CONFIG['default_host']; + // Validate that selected host is in the list of configured hosts + if (is_array($CONFIG['default_host'])) + { + $allowed = FALSE; + foreach ($CONFIG['default_host'] as $key => $host_allowed) + { + if (!is_numeric($key)) + $host_allowed = $key; + if ($host == $host_allowed) + { + $allowed = TRUE; + break; + } + } + if (!$allowed) + return FALSE; + } + else if (!empty($CONFIG['default_host']) && $host != $CONFIG['default_host']) + return FALSE; + // parse $host URL $a_host = parse_url($host); if ($a_host['host']) diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index b95988d12..3e33cd864 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -21,7 +21,7 @@ $REMOTE_REQUEST = TRUE; -if ($_GET['_cid']) +if ($_GET['_cid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_cid'])) { $DB->query("UPDATE ".get_table_name('contacts')." SET del=1 @@ -96,4 +96,4 @@ if ($_GET['_cid']) } exit; -?>
\ No newline at end of file +?> diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index f01e95bb9..57f20e57a 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -739,7 +739,7 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) '/url\s*\(["\']?([\.\/]+[^"\'\s]+)["\']?\)/i', '/<script.+<\/script>/Umis'); - $remote_replaces = array('<img \\1src=\\2./program/blank.gif\\4', + $remote_replaces = array('<img \\1src=\\2./program/blocked.gif\\4', '', '', '', @@ -1210,7 +1210,8 @@ function rcmail_mod_html_body($body, $container_id) } // replace event handlers on any object - $body = preg_replace('/\s(on[a-z]+)=/im', ' __removed=', $body); + $body = preg_replace('/\s(on[^=]+)=/im', ' __removed=', $body); + $body = preg_replace('/\shref=["\']?(javascript:)/im', 'null:', $body); // resolve <base href> $base_reg = '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i'; @@ -1251,7 +1252,7 @@ function rcmail_alter_html_link($in) if (stristr((string)$attrib['href'], 'mailto:')) $attrib['onclick'] = sprintf("return %s.command('compose','%s',this)", $GLOBALS['JS_OBJECT_NAME'], - substr($attrib['href'], 7)); + JQ(substr($attrib['href'], 7))); else if (!empty($attrib['href']) && $attrib['href']{0}!='#') $attrib['target'] = '_blank'; diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index 716072a48..2d2cb33db 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -100,6 +100,8 @@ function rcmail_attach_emoticons(&$mime_message) $image_name = substr($body, $pos + strlen($searchstr), $pos2 - ($pos + strlen($searchstr))); + // sanitize image name so resulting attachment doesn't leave images dir + $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i','',$image_name); $body_post = substr($body, $pos2); diff --git a/program/steps/settings/delete_identity.inc b/program/steps/settings/delete_identity.inc index b8f9f526c..24bf99c43 100644 --- a/program/steps/settings/delete_identity.inc +++ b/program/steps/settings/delete_identity.inc @@ -21,7 +21,7 @@ $REMOTE_REQUEST = $_GET['_remote'] ? TRUE : FALSE; -if ($_GET['_iid']) +if ($_GET['_iid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_iid'])) { $DB->query("UPDATE ".get_table_name('identities')." SET del=1 @@ -50,4 +50,4 @@ $_action = 'identities'; // overwrite action variable $OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $_action)); -?>
\ No newline at end of file +?> |