From ee883ad73d64639eb994a71e15b1a37c07ff3cb9 Mon Sep 17 00:00:00 2001 From: thomascube Date: Fri, 22 Dec 2006 21:45:21 +0000 Subject: Applied security patches by Kees Cook (Ubuntu) + little visual enhancements --- program/blocked.gif | Bin 0 -> 118 bytes program/include/main.inc | 20 ++++++++++++++++++++ program/steps/addressbook/delete.inc | 4 ++-- program/steps/mail/func.inc | 7 ++++--- program/steps/mail/sendmail.inc | 2 ++ program/steps/settings/delete_identity.inc | 4 ++-- 6 files changed, 30 insertions(+), 7 deletions(-) create mode 100644 program/blocked.gif (limited to 'program') diff --git a/program/blocked.gif b/program/blocked.gif new file mode 100644 index 000000000..7a4aa9f34 Binary files /dev/null and b/program/blocked.gif differ diff --git a/program/include/main.inc b/program/include/main.inc index c57aa8a9f..a1c00d340 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -450,6 +450,26 @@ function rcmail_login($user, $pass, $host=NULL) if (!$host) $host = $CONFIG['default_host']; + // Validate that selected host is in the list of configured hosts + if (is_array($CONFIG['default_host'])) + { + $allowed = FALSE; + foreach ($CONFIG['default_host'] as $key => $host_allowed) + { + if (!is_numeric($key)) + $host_allowed = $key; + if ($host == $host_allowed) + { + $allowed = TRUE; + break; + } + } + if (!$allowed) + return FALSE; + } + else if (!empty($CONFIG['default_host']) && $host != $CONFIG['default_host']) + return FALSE; + // parse $host URL $a_host = parse_url($host); if ($a_host['host']) diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index b95988d12..3e33cd864 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -21,7 +21,7 @@ $REMOTE_REQUEST = TRUE; -if ($_GET['_cid']) +if ($_GET['_cid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_cid'])) { $DB->query("UPDATE ".get_table_name('contacts')." SET del=1 @@ -96,4 +96,4 @@ if ($_GET['_cid']) } exit; -?> \ No newline at end of file +?> diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index f01e95bb9..57f20e57a 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -739,7 +739,7 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) '/url\s*\(["\']?([\.\/]+[^"\'\s]+)["\']?\)/i', '//Umis'); - $remote_replaces = array(' $base_reg = '/()/i'; @@ -1251,7 +1252,7 @@ function rcmail_alter_html_link($in) if (stristr((string)$attrib['href'], 'mailto:')) $attrib['onclick'] = sprintf("return %s.command('compose','%s',this)", $GLOBALS['JS_OBJECT_NAME'], - substr($attrib['href'], 7)); + JQ(substr($attrib['href'], 7))); else if (!empty($attrib['href']) && $attrib['href']{0}!='#') $attrib['target'] = '_blank'; diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index 716072a48..2d2cb33db 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -100,6 +100,8 @@ function rcmail_attach_emoticons(&$mime_message) $image_name = substr($body, $pos + strlen($searchstr), $pos2 - ($pos + strlen($searchstr))); + // sanitize image name so resulting attachment doesn't leave images dir + $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i','',$image_name); $body_post = substr($body, $pos2); diff --git a/program/steps/settings/delete_identity.inc b/program/steps/settings/delete_identity.inc index b8f9f526c..24bf99c43 100644 --- a/program/steps/settings/delete_identity.inc +++ b/program/steps/settings/delete_identity.inc @@ -21,7 +21,7 @@ $REMOTE_REQUEST = $_GET['_remote'] ? TRUE : FALSE; -if ($_GET['_iid']) +if ($_GET['_iid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_iid'])) { $DB->query("UPDATE ".get_table_name('identities')." SET del=1 @@ -50,4 +50,4 @@ $_action = 'identities'; // overwrite action variable $OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $_action)); -?> \ No newline at end of file +?> -- cgit v1.2.3