From d5342aabcfeddb959cc286befe6de5bf35fe9d76 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Sun, 25 Nov 2007 19:45:38 +0000
Subject: More input sanitizing

---
 program/include/main.inc       |  8 ++++++++
 program/include/rcube_imap.inc | 30 ++++++++++++++++--------------
 program/steps/mail/func.inc    |  4 ++--
 program/steps/mail/rss.inc     |  2 +-
 4 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/program/include/main.inc b/program/include/main.inc
index f0c603090..55cd8efce 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -1279,6 +1279,14 @@ function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL)
     return $value;
   }
 
+/**
+ * Remove all non-ascii and non-word chars
+ * except . and -
+ */
+function asciiwords($str)
+{
+  return preg_replace('/[^a-z0-9.-_]/i', '', $str);
+}
 
 /**
  * Remove single and double quotes from given string
diff --git a/program/include/rcube_imap.inc b/program/include/rcube_imap.inc
index 8fea05667..5a9994c02 100644
--- a/program/include/rcube_imap.inc
+++ b/program/include/rcube_imap.inc
@@ -5,7 +5,7 @@
  | program/include/rcube_imap.inc                                        |
  |                                                                       |
  | This file is part of the RoundCube Webmail client                     |
- | Copyright (C) 2005-2006, RoundCube Dev. - Switzerland                 |
+ | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |
  | Licensed under the GNU GPL                                            |
  |                                                                       |
  | PURPOSE:                                                              |
@@ -35,7 +35,7 @@ require_once('lib/mime.inc');
  *
  * @package    Mail
  * @author     Thomas Bruederli <roundcube@gmail.com>
- * @version    1.39
+ * @version    1.40
  * @link       http://ilohamail.org
  */
 class rcube_imap
@@ -527,10 +527,7 @@ class rcube_imap
     if ($this->search_string && $mailbox == $this->mailbox)
       return $this->_list_header_set($mailbox, $this->search_set, $page, $sort_field, $sort_order);
 
-    if ($sort_field!=NULL)
-      $this->sort_field = $sort_field;
-    if ($sort_order!=NULL)
-      $this->sort_order = strtoupper($sort_order);
+    $this->_set_sort_order($sort_field, $sort_order);
 
     $max = $this->_messagecount($mailbox);
     $start_msg = ($this->list_page-1) * $this->page_size;
@@ -647,10 +644,7 @@ class rcube_imap
     if (!strlen($mailbox) || empty($msgs))
       return array();
 
-    if ($sort_field!=NULL)
-      $this->sort_field = $sort_field;
-    if ($sort_order!=NULL)
-      $this->sort_order = strtoupper($sort_order);
+    $this->_set_sort_order($sort_field, $sort_order);
 
     $max = count($msgs);
     $start_msg = ($this->list_page-1) * $this->page_size;
@@ -764,10 +758,7 @@ class rcube_imap
    */
   function message_index($mbox_name='', $sort_field=NULL, $sort_order=NULL)
     {
-    if ($sort_field!=NULL)
-      $this->sort_field = $sort_field;
-    if ($sort_order!=NULL)
-      $this->sort_order = strtoupper($sort_order);
+    $this->_set_sort_order($sort_field, $sort_order);
 
     $mailbox = $mbox_name ? $this->_mod_mailbox($mbox_name) : $this->mailbox;
     $key = "$mbox:".$this->sort_field.":".$this->sort_order.".msgi";
@@ -2445,6 +2436,17 @@ class rcube_imap
     return $mbox_name;
     }
 
+  /**
+   * Validate the given input and save to local properties
+   * @access private
+   */
+  function _set_sort_order($sort_field, $sort_order)
+  {
+    if ($sort_field != null)
+      $this->sort_field = asciiwords($sort_field);
+    if ($sort_order != null)
+      $this->sort_order = strtoupper($sort_order) == 'DESC' ? 'DESC' : 'ASC';
+  }
 
   /**
    * Sort mailboxes first by default folders and then in alphabethical order
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 95deaa4b9..dd3801672 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -1191,7 +1191,7 @@ function rcmail_message_part_controls()
   {
   global $CONFIG, $IMAP, $MESSAGE;
   
-  $part = get_input_value('_part', RCUBE_INPUT_GPC);
+  $part = asciiwords(get_input_value('_part', RCUBE_INPUT_GPC));
   if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$part])
     return '';
     
@@ -1225,7 +1225,7 @@ function rcmail_message_part_frame($attrib)
   {
   global $MESSAGE;
   
-  $part = $MESSAGE['parts'][get_input_value('_part', RCUBE_INPUT_GPC)];
+  $part = $MESSAGE['parts'][asciiwords(get_input_value('_part', RCUBE_INPUT_GPC))];
   $ctype_primary = strtolower($part->ctype_primary);
 
   $attrib['src'] = Q('./?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']));
diff --git a/program/steps/mail/rss.inc b/program/steps/mail/rss.inc
index 49d5c0efc..0d7d3c463 100644
--- a/program/steps/mail/rss.inc
+++ b/program/steps/mail/rss.inc
@@ -79,7 +79,7 @@ echo '
 
 // Check if the user wants to override the default sortingmethode
 if (isset($_GET['_sort']))
-  list($sort_col, $sort_order) = explode('_', $_GET['_sort']);
+  list($sort_col, $sort_order) = explode('_', get_input_value('_sort', RCUBE_INPUT_GET));
 
 // Add message to output
 if ($messagecount > 0)
-- 
cgit v1.2.3