[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-cvs
Subject:    [SM-CVS] CVS: squirrelmail/functions mime.php,1.265.2.27,1.265.2.28
From:       Marc Groot Koerkamp <stekkel () users ! sourceforge ! net>
Date:       2004-05-23 16:14:15
Message-ID: E1BRvc7-0004o8-Dn () sc8-pr-cvs1 ! sourceforge ! net
[Download RAW message or body]

Update of /cvsroot/squirrelmail/squirrelmail/functions
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv18342/functions

Modified Files:
      Tag: SM-1_4-STABLE
	mime.php 
Log Message:
Fixed XSS vulnarability spotted by "Roman Medina" after a very
thorough research of the SquirrelMail source. I was impressed.



Index: mime.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/functions/mime.php,v
retrieving revision 1.265.2.27
retrieving revision 1.265.2.28
diff -u -w -r1.265.2.27 -r1.265.2.28
--- mime.php	3 May 2004 18:50:15 -0000	1.265.2.27
+++ mime.php	23 May 2004 16:14:11 -0000	1.265.2.28
@@ -505,7 +505,9 @@
                         '<A \
                HREF="'.$defaultlink.'">'.decodeHeader($display_filename).'</A>&nbsp;</TD>' \
                .
                         '<TD><SMALL><b>' . show_readable_size($header->size) .
                         '</b>&nbsp;&nbsp;</small></TD>' .
-                        "<TD><SMALL>[ $type0/$type1 ]&nbsp;</SMALL></TD>" .
+                        '<TD><SMALL>[ '. 
+                         htmlspecialchars($type0).'/'.htmlspecialchars($type1).
+                        ' ]&nbsp;</SMALL></TD>'.
                         '<TD><SMALL>';
         $attachments .= '<b>' . $description . '</b>';
         $attachments .= '</SMALL></TD><TD><SMALL>&nbsp;';



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
--
squirrelmail-cvs mailing list
List Address: squirrelmail-cvs@lists.sourceforge.net
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
http://squirrelmail.org/cvs


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic