XXS fixes, as in stable

functions/imap_general.php

@@ -151,10 +151,10 @@ function sqimap_read_data_list ($imap_stream, $pre, $handle_errors, &$response,
 	    $string = "<b><font color=$color[2]>\n" .
                 _("ERROR : Could not complete request.") .
                 "</b><br>\n" .
-                _("Query:") .
-                $query . '<br>' .
+                _("Query:") . ' ' .
+                htmlspecialchars($query) . '<br>' .
                 _("Reason Given: ") .
-                $message . "</font><br>\n";
+                htmlspecialchars($message) . "</font><br>\n";
 	    error_box($string,$color);
             exit;
         }
@@ -165,10 +165,10 @@ function sqimap_read_data_list ($imap_stream, $pre, $handle_errors, &$response,
         $string = "<b><font color=$color[2]>\n" .
             _("ERROR : Bad or malformed request.") .
             "</b><br>\n" .
-            _("Query:") .
-            $query . '<br>' .
+            _("Query:") . ' '.
+            htmlspecialchars($query) . '<br>' .
             _("Server responded: ") .
-            $message . "</font><br>\n";
+            htmlspecialchars($message) . "</font><br>\n";
 	error_box($string,$color);    
         exit;
     } 
@@ -286,6 +286,7 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $
         if (!$hide) {
             if ($response != 'NO') {
                 /* "BAD" and anything else gets reported here. */
+		$message = htmlspecialchars($message);
                 set_up_language($squirrelmail_language, true);
 		require_once(SM_PATH . 'functions/display_messages.php');
                 if ($response == 'BAD') {

functions/imap_messages.php

@@ -460,14 +460,14 @@ function sqimap_get_small_header_list ($imap_stream, $msg_list) {
                       _("ERROR : Could not complete request.") .
                       '</b><br>' .
                       _("Unknown response from IMAP server: ") . ' 1.' .
-                      $r[0] . "</font><br>\n";
+                      htmlspecialchars($r[0]) . "</font><br>\n";
             } else if (! isset($id2index[$regs[1]]) || !count($id2index[$regs[1]])) {
                 set_up_language($squirrelmail_language);
                 echo '<br><b><font color=$color[2]>' .
                       _("ERROR : Could not complete request.") .
                       '</b><br>' .
                       _("Unknown message number in reply from server: ") .
-                      $regs[1] . "</font><br>\n";
+                      htmlspecialchars($regs[1]) . "</font><br>\n";
             } else {
                 $read_list[$id2index[$regs[1]]] = $r;
             }
@@ -478,14 +478,14 @@ function sqimap_get_small_header_list ($imap_stream, $msg_list) {
                      _("ERROR : Could not complete request.") .
                      '</b><br>' .
                      _("Unknown response from IMAP server: ") . ' 1.' .
-                     $r[0] . "</font><br>\n";
+                     htmlspecialchars($r[0]) . "</font><br>\n";
             } else if (! isset($id2index[$regs[2]]) || !count($id2index[$regs[2]])) {
                 set_up_language($squirrelmail_language);
                 echo '<br><b><font color=$color[2]>' .
                       _("ERROR : Could not complete request.") .
                       '</b><br>' .
                       _("Unknown message number in reply from server: ") .
-                      $regs[2] . "</font><br>\n";
+                      htmlspecialchars($regs[2]) . "</font><br>\n";
             } else {
                 $read_list[$id2index[$regs[2]]] = $r;
                 $unique_id = $regs[2];
@@ -509,13 +509,13 @@ function sqimap_get_small_header_list ($imap_stream, $msg_list) {
         $subject = _("(no subject)");
         $from = _("Unknown Sender");
         $priority = 0;
-        $messageid = "<>";
-        $cc = "";
-        $to = "";
-        $date = "";
-        $type[0] = "";
-        $type[1] = "";
-        $inrepto = "";
+        $messageid = '<>';
+        $cc = '';
+        $to = '';
+        $date = '';
+        $type[0] = '';
+        $type[1] = '';
+        $inrepto = '';
         $flag_seen = false;
         $flag_answered = false;
         $flag_deleted = false;
@@ -536,7 +536,7 @@ function sqimap_get_small_header_list ($imap_stream, $msg_list) {
                         $tmpdate = str_replace('  ',' ',$tmpdate);
                         $tmpdate = explode(' ',$tmpdate);
                         $date = str_replace('-',' ',$tmpdate[0]) . " " .
-                                $tmpdate[1] . " " .
+                                $tmpdate[1] . ' ' .
                                 $tmpdate[2];
                     }
                 }

functions/imap_search.php

@@ -102,7 +102,7 @@ function sqimap_search($imapConnection, $search_where, $search_what, $mailbox,
         if (strstr($errors,'* SEARCH')) {
             return array();
         }
-        echo "<!-- $errors -->";
+        echo '<!-- '.htmlspecialchars($errors) .' -->';
     }
 
 

src/delete_message.php

@@ -27,19 +27,19 @@ $message = $_GET['message'];
 $mailbox = $_GET['mailbox'];
 
 if (isset($_GET['saved_draft'])) {
-    $saved_draft = $_GET['saved_draft'];
+    $saved_draft = urlencode($_GET['saved_draft']);
 }
 if (isset($_GET['mail_sent'])) {
-    $mail_sent = $_GET['mail_sent'];
+    $mail_sent = urlencode($_GET['mail_sent']);
 }
-$sort = $_GET['sort'];
-$startMessage = $_GET['startMessage'];
+$sort = (int) $_GET['sort'];
+$startMessage = (int) $_GET['startMessage'];
 
 if(isset($_GET['where'])) {
-    $where = $_GET['where'];
+    $where = urlencode($_GET['where']);
 }
 if(isset($_GET['what'])) {
-    $what = $_GET['what'];
+    $what = urlencode($_GET['what']);
 }
 
 $imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
@@ -61,8 +61,8 @@ if (!isset($mail_sent)) {
 $location = get_location();
 
 if (isset($where) && isset($what)) {
-    header("Location: $location/search.php?where=" . urlencode($where) .
-           '&what=' . urlencode($what) . '&mailbox=' . urlencode($mailbox));
+    header("Location: $location/search.php?where=" . $where .
+           '&what=' . $what . '&mailbox=' . urlencode($mailbox));
 } else {
     if (!empty($saved_draft) || !empty($mail_sent)) {
           header("Location: $location/compose.php?mail_sent=$mail_sent&saved_draft=$saved_draft");

src/download.php

@@ -29,14 +29,9 @@ $key = $_COOKIE['key'];
 $username = $_SESSION['username'];
 $onetimepad = $_SESSION['onetimepad'];
 $mailbox = $_GET['mailbox'];
-$passed_id = $_GET['passed_id'];
+$passed_id = (int) $_GET['passed_id'];
 $ent_id = $_GET['ent_id'];
 $messages = $_SESSION['messages'];
-if (isset($_GET['passed_ent_id'])) {
-   $passed_ent_id = $_GET['passed_ent_id'];
-} else {
-   $passed_ent_id = '';
-}
 
 if (isset($_GET['absolute_dl'])) {
    $absolute_dl = $_GET['absolute_dl'];
@@ -105,7 +100,7 @@ if (strlen($filename) < 1) {
     }
 
     if (strlen($filename) < 1) {
-       $filename = "untitled$ent_id.$suffix";
+       $filename = 'untitled'.strip_tags($ent_id).$suffix;
     } else {
        $filename = "$filename.$suffix";
     }

src/image.php

@@ -25,7 +25,7 @@ displayPageHeader($color, 'None');
 
 /* globals */
 $mailbox = $_GET['mailbox'];
-$passed_id = $_GET['passed_id'];
+$passed_id = (int) $_GET['passed_id'];
 $ent_id = $_GET['ent_id'];
 $QUERY_STRING = $_SERVER['QUERY_STRING'];
 /* end globals */
@@ -37,14 +37,14 @@ echo '<BR>' .
     '<B><CENTER>' .
     _("Viewing an image attachment") . " - ";
 
-$msg_url = 'read_body.php?' . $QUERY_STRING;
+$msg_url = 'read_body.php?' . urlencode(strip_tags(urldecode($QUERY_STRING)));
 $msg_url = set_url_var($msg_url, 'ent_id', 0);
 echo '<a href="'.$msg_url.'">'. _("View message") . '</a>';
 
 
 $DownloadLink = '../src/download.php?passed_id=' . $passed_id .
                '&amp;mailbox=' . urlencode($mailbox) . 
-               '&amp;ent_id=' . $ent_id . '&amp;absolute_dl=true';
+               '&amp;ent_id=' . urlencode($ent_id) . '&amp;absolute_dl=true';
 
 echo '</b></td></tr>' . "\n" .
     '<tr><td align=center><A HREF="' . $DownloadLink . '">' .

src/printer_friendly_bottom.php

@@ -31,8 +31,7 @@ $key = $_COOKIE['key'];
 $username = $_SESSION['username'];
 $onetimepad = $_SESSION['onetimepad'];
 
-$passed_ent_id = $_GET['passed_ent_id'];
-$passed_id = $_GET['passed_id'];
+$passed_id = (int) $_GET['passed_id'];
 $mailbox = $_GET['mailbox'];
 /* end globals */
 

src/printer_friendly_main.php

@@ -20,14 +20,14 @@ displayHtmlHeader( _("Printer Friendly"), '', FALSE );
 
 /* get those globals into gear */
 $passed_ent_id = $_GET['passed_ent_id'];
-$passed_id = $_GET['passed_id'];
+$passed_id = (int) $_GET['passed_id'];
 $mailbox = $_GET['mailbox'];
 /* end globals */
 
 echo "<frameset rows=\"60, *\" noresize border=\"0\">\n".
      "<frame src=\"printer_friendly_top.php\" name=\"top_frame\" scrolling=\"no\">".
      '<frame src="printer_friendly_bottom.php?passed_ent_id='.
-     $passed_ent_id . '&amp;mailbox=' . urlencode($mailbox) .
+     urlencode($passed_ent_id) . '&amp;mailbox=' . urlencode($mailbox) .
      '&amp;passed_id=' . $passed_id .
      "\" name=\"bottom_frame\">".
      "</frameset>\n".

src/read_body.php

@@ -644,10 +644,10 @@ $base_uri   = $_SESSION['base_uri'];
 $delimiter  = $_SESSION['delimiter'];
 
 if (isset($_GET['passed_id'])) {
-    $passed_id = $_GET['passed_id'];
+    $passed_id = (int) $_GET['passed_id'];
 }
 elseif (isset($_POST['passed_id'])) {
-    $passed_id = $_POST['passed_id'];
+    $passed_id = (int) $_POST['passed_id'];
 }
 
 if (isset($_GET['passed_ent_id'])) {
@@ -662,25 +662,25 @@ if (isset($_GET['sendreceipt'])) {
 }
 
 if (isset($_GET['sort'])) {
-    $sort = $_GET['sort'];
+    $sort = (int) $_GET['sort'];
 }
 elseif (isset($_POST['sort'])) {
-    $sort = $_POST['sort'];
+    $sort = (int) $_POST['sort'];
 }
 if (isset($_GET['startMessage'])) {
-    $startMessage = $_GET['startMessage'];
+    $startMessage = (int) $_GET['startMessage'];
 }
 elseif (isset($_POST['startMessage'])) {
-    $startMessage = $_POST['startMessage'];
+    $startMessage = (int) $_POST['startMessage'];
 }
 if (isset($_GET['show_more'])) {
-    $show_more = $_GET['show_more'];
+    $show_more = (int) $_GET['show_more'];
 }
 if (isset($_GET['show_more_cc'])) {
-    $show_more_cc = $_GET['show_more_cc'];
+    $show_more_cc = (int) $_GET['show_more_cc'];
 }
 if (isset($_GET['show_more_bcc'])) {
-    $show_more_bcc = $_GET['show_more_bcc'];
+    $show_more_bcc = (int) $_GET['show_more_bcc'];
 }
 if (isset($_GET['mailbox'])) {
     $mailbox = $_GET['mailbox'];
@@ -695,7 +695,7 @@ if (isset($_GET['what'])) {
     $what = $_GET['what'];
 }
 if (isset($_GET['view_hdr'])) {
-    $view_hdr = $_GET['view_hdr'];
+    $view_hdr = (int) $_GET['view_hdr'];
 }
 if (isset($_SESSION['server_sort_array'])) {
     $server_sort_array = $_SESSION['server_sort_array'];

src/right_main.php

@@ -48,9 +48,9 @@ $base_uri = $_SESSION['base_uri'];
 $delimiter = $_SESSION['delimiter'];
  
 if (isset($_GET['startMessage'])) {
-    $startMessage = $_GET['startMessage'];
+    $startMessage = (int) $_GET['startMessage'];
 } elseif (isset($_POST['startMessage'])) {
-    $startMessage = $_POST['startMessage'];
+    $startMessage = (int) $_POST['startMessage'];
 }
 if (isset($_GET['mailbox'])) {
     $mailbox = $_GET['mailbox'];
@@ -58,16 +58,16 @@ if (isset($_GET['mailbox'])) {
     $mailbox = $_POST['mailbox'];
 }
 if (isset($_GET['PG_SHOWNUM'])) {
-    $PG_SHOWNUM = $_GET['PG_SHOWNUM'];
+    $PG_SHOWNUM = (int) $_GET['PG_SHOWNUM'];
 }
 elseif (isset($_SESSION['PG_SHOWNUM'])) {
-    $PG_SHOWNUM = $_SESSION['PG_SHOWNUM'];
+    $PG_SHOWNUM = (int) $_SESSION['PG_SHOWNUM'];
 }
 if (isset($_GET['PG_SHOWALL'])) {
-    $PG_SHOWALL = $_GET['PG_SHOWALL'];
+    $PG_SHOWALL = (int) $_GET['PG_SHOWALL'];
 }
 if (isset($_GET['newsort'])) {
-    $newsort = $_GET['newsort'];
+    $newsort = (int) $_GET['newsort'];
 }
 if (isset($_GET['composenew'])) {
     $composenew = $_GET['composenew'];
@@ -76,10 +76,10 @@ if (isset($_GET['composenew'])) {
 }
 
 if (isset($_GET['checkall'])) {
-    $checkall = $_GET['checkall'];
+    $checkall = (int) $_GET['checkall'];
 }
 if (isset($_GET['set_thread'])) {
-    $set_thread = $_GET['set_thread'];
+    $set_thread = (int) $_GET['set_thread'];
 }
 if (isset($_SESSION['lastTargetMailbox'])) {
     $lastTargetMailbox =$_SESSION['lastTargetMailbox'];

src/vcard.php

@@ -26,7 +26,7 @@ $key  = $_COOKIE['key'];
 $username = $_SESSION['username'];
 $onetimepad = $_SESSION['onetimepad'];
 $mailbox = decodeHeader($_GET['mailbox']);
-$passed_id = $_GET['passed_id'];
+$passed_id = (int) $_GET['passed_id'];
 $ent_id = $_GET['ent_id'];
 $passed_ent_id = $_GET['passed_ent_id'];
 $QUERY_STRING = $_SERVER['QUERY_STRING'];
@@ -43,7 +43,7 @@ echo '<br><table width="100%" border="0" cellspacing="0" cellpadding="2" ' .
         '<tr><td bgcolor="' . $color[0] . '">' .
         '<b><center>' .
         _("Viewing a Business Card") . " - ";
-$msg_url = 'read_body.php?' . $QUERY_STRING;
+$msg_url = 'read_body.php?' . urlencode(strip_tags(urldecode($QUERY_STRING)));
 $msg_url = set_url_var($msg_url, 'ent_id', 0);
 echo '<a href="'.$msg_url.'">'. _("View message") . '</a>';
 
@@ -201,7 +201,7 @@ echo '</select>' .
         '<tr><td align=center>' .
         '<a href="../src/download.php?absolute_dl=true&amp;passed_id=' .
         $passed_id . '&amp;mailbox=' . urlencode($mailbox) .
-        '&amp;passed_ent_id=' . $passed_ent_id . '">' .
+        '&amp;passed_ent_id=' . urlencode($passed_ent_id) . '">' .
         _("Download this as a file") . '</A>' .
         '</TD></TR></TABLE>' .