From ee883ad73d64639eb994a71e15b1a37c07ff3cb9 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 22 Dec 2006 21:45:21 +0000
Subject: Applied security patches by Kees Cook (Ubuntu) + little visual
 enhancements

---
 program/include/main.inc | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'program/include')

diff --git a/program/include/main.inc b/program/include/main.inc
index c57aa8a9f..a1c00d340 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -450,6 +450,26 @@ function rcmail_login($user, $pass, $host=NULL)
   if (!$host)
     $host = $CONFIG['default_host'];
 
+  // Validate that selected host is in the list of configured hosts
+  if (is_array($CONFIG['default_host']))
+    {
+    $allowed = FALSE;
+    foreach ($CONFIG['default_host'] as $key => $host_allowed)
+      {
+      if (!is_numeric($key))
+        $host_allowed = $key;
+      if ($host == $host_allowed)
+        {
+        $allowed = TRUE;
+        break;
+        }
+      }
+    if (!$allowed)
+      return FALSE;
+    }
+  else if (!empty($CONFIG['default_host']) && $host != $CONFIG['default_host'])
+    return FALSE;
+
   // parse $host URL
   $a_host = parse_url($host);
   if ($a_host['host'])
-- 
cgit v1.2.3