On Thursday 22 March 2007 13:07, Marcos Marado wrote:
> > Ola Lundqvist <[EMAIL PROTECTED]> wrote:
> >
> > Interesting! Will you create a fix for this?
>
> I took from the diff between imp-h3-4.1.4-rc1 and imp-h3-4.1.4 a working
> patch to fix the XSS vulnerability. I'm not really sure if I should submit
> a patch that would work against imp4_4.1.3-2 (in etch) or against
> imp4_4.1.3-3 (in sid)... Well, probably it will work against both. I'll
> send the patch after lunch.
Here's the patch. It was created to be applied against imp4_4.1.3-2. Can I
help in anything else?
--
Marcos Marado
Sonaecom IT
diff -ru imp-h3-4.1.3/templates/search/fields.inc imp-h3-4.1.3-fixed/templates/search/fields.inc
--- imp-h3-4.1.3/templates/search/fields.inc 2006-01-01 07:02:09.000000000 +0000
+++ imp-h3-4.1.3-fixed/templates/search/fields.inc 2007-03-22 13:11:00.000000000 +0000
@@ -21,7 +21,7 @@
($imp_search_fields[$curr_field]['type'] == IMP_SEARCH_BODY) ||
($imp_search_fields[$curr_field]['type'] == IMP_SEARCH_TEXT)): ?>
<td class="item0 leftAlign">
- <input type="text" name="search_text[<?php echo $i ?>]" size="40" <?php if (!empty($search['text'][$i])) echo 'value="' . $search['text'][$i] . '" '; ?>/>
+ <input type="text" name="search_text[<?php echo $i ?>]" size="40" <?php if (!empty($search['text'][$i])) echo 'value="' . htmlspecialchars($search['text'][$i]) . '" '; ?>/>
<input type="checkbox" name="search_text_not[<?php echo $i ?>]" <?php if (!empty($search['text_not'][$i])) echo 'checked="checked" '; ?>/>
<em><?php echo _("Do NOT match") ?></em>
</td>
diff -ru imp-h3-4.1.3/templates/search/header.inc imp-h3-4.1.3-fixed/templates/search/header.inc
--- imp-h3-4.1.3/templates/search/header.inc 2006-02-08 21:28:57.000000000 +0000
+++ imp-h3-4.1.3-fixed/templates/search/header.inc 2007-03-22 13:11:00.000000000 +0000
@@ -2,12 +2,12 @@
<input type="hidden" name="actionID" value="update_search" />
<input type="hidden" name="delete_field_id" value="" />
<?php if ($edit_query_id): ?>
-<input type="hidden" name="edit_query_id" value="<?php echo $edit_query_id ?>" />
+<input type="hidden" name="edit_query_id" value="<?php echo htmlspecialchars($edit_query_id) ?>" />
<?php endif; ?>
<?php if (!empty($search['mbox'])): ?>
-<input type="hidden" name="mbox" value="<?php echo $search['mbox'] ?>" />
+<input type="hidden" name="mbox" value="<?php echo htmlspecialchars($search['mbox']) ?>" />
<?php elseif ($subscribe): ?>
-<input type="hidden" name="show_subscribed_only" value="<?php echo $shown ?>" />
+<input type="hidden" name="show_subscribed_only" value="<?php echo htmlspecialchars($shown) ?>" />
<?php endif; ?>
<div align="center">
<table border="0" cellspacing="0" cellpadding="2" width="100%">
diff -ru imp-h3-4.1.3/templates/search/main.inc imp-h3-4.1.3-fixed/templates/search/main.inc
--- imp-h3-4.1.3/templates/search/main.inc 2006-02-15 01:29:27.000000000 +0000
+++ imp-h3-4.1.3-fixed/templates/search/main.inc 2007-03-22 13:11:00.000000000 +0000
@@ -77,7 +77,7 @@
</tr>
<?php if (!empty($search['mbox'])): ?>
- <input id="preselected_folders" type="hidden" name="search_folders[]" value="<?php echo $search['mbox'] ?>" />
+ <input id="preselected_folders" type="hidden" name="search_folders[]" value="<?php echo htmlspecialchars($search['mbox']) ?>" />
<?php else: ?>
<tr>
<td class="smallheader leftAlign" colspan="2"><?php echo _("Message folders") ?></td>
@@ -126,7 +126,7 @@
<?php endif; ?>
<tr>
<td class="item1 leftAlign" nowrap="nowrap">
- <em><?php echo _("Virtual folder label") ?>:</em> <input type="text" id="vfolder_label" name="vfolder_label" <?php if (!empty($search['vfolder_label'])) echo 'value="' . $search['vfolder_label'] . '" '; ?>/>
+ <em><?php echo _("Virtual folder label") ?>:</em> <input type="text" id="vfolder_label" name="vfolder_label" <?php if (!empty($search['vfolder_label'])) echo 'value="' . htmlspecialchars($search['vfolder_label']) . '" '; ?>/>
</td>
</tr>
</table>
diff -ru imp-h3-4.1.3/thread.php imp-h3-4.1.3-fixed/thread.php
--- imp-h3-4.1.3/thread.php 2006-02-21 07:32:36.000000000 +0000
+++ imp-h3-4.1.3-fixed/thread.php 2007-03-22 13:12:38.000000000 +0000
@@ -119,7 +119,7 @@
$headers->buildAddressLinks('from', Horde::selfUrl(true), true, true);
$curr_msg['date'] = $headers->getValue('date');
$curr_msg['from'] = $headers->getValue('from');
- $subject_header = $headers->getValue('subject');
+ $subject_header = @htmlspecialchars($headers->getValue('subject'), ENT_COMPAT, NLS::getCharset());
if ($mode == 'thread') {
if (empty($subject)) {
$subject = preg_replace('/^re:\s*/i', '', $subject_header);
