On Thursday 22 March 2007 13:07, Marcos Marado wrote:
Ola Lundqvist [EMAIL PROTECTED] wrote:
Interesting! Will you create a fix for this?
I took from the diff between imp-h3-4.1.4-rc1 and imp-h3-4.1.4 a working
patch to fix the XSS vulnerability. I'm not really sure if I should submit
a patch that would work against imp4_4.1.3-2 (in etch) or against
imp4_4.1.3-3 (in sid)... Well, probably it will work against both. I'll
send the patch after lunch.
Here's the patch. It was created to be applied against imp4_4.1.3-2. Can I
help in anything else?
--
Marcos Marado
Sonaecom IT
diff -ru imp-h3-4.1.3/templates/search/fields.inc imp-h3-4.1.3-fixed/templates/search/fields.inc
--- imp-h3-4.1.3/templates/search/fields.inc 2006-01-01 07:02:09.0 +
+++ imp-h3-4.1.3-fixed/templates/search/fields.inc 2007-03-22 13:11:00.0 +
@@ -21,7 +21,7 @@
($imp_search_fields[$curr_field]['type'] == IMP_SEARCH_BODY) ||
($imp_search_fields[$curr_field]['type'] == IMP_SEARCH_TEXT)): ?
td class=item0 leftAlign
- input type=text name=search_text[?php echo $i ?] size=40 ?php if (!empty($search['text'][$i])) echo 'value=' . $search['text'][$i] . ' '; ?/
+ input type=text name=search_text[?php echo $i ?] size=40 ?php if (!empty($search['text'][$i])) echo 'value=' . htmlspecialchars($search['text'][$i]) . ' '; ?/
input type=checkbox name=search_text_not[?php echo $i ?] ?php if (!empty($search['text_not'][$i])) echo 'checked=checked '; ?/
em?php echo _(Do NOT match) ?/em
/td
diff -ru imp-h3-4.1.3/templates/search/header.inc imp-h3-4.1.3-fixed/templates/search/header.inc
--- imp-h3-4.1.3/templates/search/header.inc 2006-02-08 21:28:57.0 +
+++ imp-h3-4.1.3-fixed/templates/search/header.inc 2007-03-22 13:11:00.0 +
@@ -2,12 +2,12 @@
input type=hidden name=actionID value=update_search /
input type=hidden name=delete_field_id value= /
?php if ($edit_query_id): ?
-input type=hidden name=edit_query_id value=?php echo $edit_query_id ? /
+input type=hidden name=edit_query_id value=?php echo htmlspecialchars($edit_query_id) ? /
?php endif; ?
?php if (!empty($search['mbox'])): ?
-input type=hidden name=mbox value=?php echo $search['mbox'] ? /
+input type=hidden name=mbox value=?php echo htmlspecialchars($search['mbox']) ? /
?php elseif ($subscribe): ?
-input type=hidden name=show_subscribed_only value=?php echo $shown ? /
+input type=hidden name=show_subscribed_only value=?php echo htmlspecialchars($shown) ? /
?php endif; ?
div align=center
table border=0 cellspacing=0 cellpadding=2 width=100%
diff -ru imp-h3-4.1.3/templates/search/main.inc imp-h3-4.1.3-fixed/templates/search/main.inc
--- imp-h3-4.1.3/templates/search/main.inc 2006-02-15 01:29:27.0 +
+++ imp-h3-4.1.3-fixed/templates/search/main.inc 2007-03-22 13:11:00.0 +
@@ -77,7 +77,7 @@
/tr
?php if (!empty($search['mbox'])): ?
- input id=preselected_folders type=hidden name=search_folders[] value=?php echo $search['mbox'] ? /
+ input id=preselected_folders type=hidden name=search_folders[] value=?php echo htmlspecialchars($search['mbox']) ? /
?php else: ?
tr
td class=smallheader leftAlign colspan=2?php echo _(Message folders) ?/td
@@ -126,7 +126,7 @@
?php endif; ?
tr
td class=item1 leftAlign nowrap=nowrap
- em?php echo _(Virtual folder label) ?:/emnbsp;input type=text id=vfolder_label name=vfolder_label ?php if (!empty($search['vfolder_label'])) echo 'value=' . $search['vfolder_label'] . ' '; ?/
+ em?php echo _(Virtual folder label) ?:/emnbsp;input type=text id=vfolder_label name=vfolder_label ?php if (!empty($search['vfolder_label'])) echo 'value=' . htmlspecialchars($search['vfolder_label']) . ' '; ?/
/td
/tr
/table
diff -ru imp-h3-4.1.3/thread.php imp-h3-4.1.3-fixed/thread.php
--- imp-h3-4.1.3/thread.php 2006-02-21 07:32:36.0 +
+++ imp-h3-4.1.3-fixed/thread.php 2007-03-22 13:12:38.0 +
@@ -119,7 +119,7 @@
$headers-buildAddressLinks('from', Horde::selfUrl(true), true, true);
$curr_msg['date'] = $headers-getValue('date');
$curr_msg['from'] = $headers-getValue('from');
-$subject_header = $headers-getValue('subject');
+ $subject_header = @htmlspecialchars($headers-getValue('subject'), ENT_COMPAT, NLS::getCharset());
if ($mode == 'thread') {
if (empty($subject)) {
$subject = preg_replace('/^re:\s*/i', '', $subject_header);