XSS fixes

plugins/calendar/calendar.php

@@ -34,16 +34,20 @@ require_once(SM_PATH . 'functions/html.php');
 
 /* get globals */
 
-if (isset($_GET['month'])) {
+// undo rg = on effects
+if (isset($month)) unset($month);
+if (isset($year))  unset($year);
+
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
     $month = $_GET['month'];
 }
-if (isset($_GET['year'])) {
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
     $year = $_GET['year'];
 }
-if (isset($_POST['year'])) {
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
     $year = $_POST['year'];
 }
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
     $month = $_POST['month'];
 }
 /* got 'em */

plugins/calendar/day.php

@@ -32,22 +32,28 @@ require_once(SM_PATH . 'include/load_prefs.php');
 require_once(SM_PATH . 'functions/html.php');
 
 /* get globals */
-if (isset($_GET['year'])) {
+
+// undo rg = on effects
+if (isset($month)) unset($month);
+if (isset($year))  unset($year);
+if (isset($day))  unset($day);
+
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
     $year = $_GET['year'];
 }
-elseif (isset($_POST['year'])) {
+elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
     $year = $_POST['year'];
 }
-if (isset($_GET['month'])) {
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
     $month = $_GET['month'];
 }
-elseif (isset($_POST['month'])) {
+elseif (isset($_POST['month'])  && is_numeric($_POST['month'])) {
     $month = $_POST['month'];
 }
-if (isset($_GET['day'])) {
+if (isset($_GET['day']) && is_numeric($_GET['day'])) {
     $day = $_GET['day'];
 }
-elseif (isset($_POST['day'])) {
+elseif (isset($_POST['day'])  && is_numeric($_POST['day'])) {
     $day = $_POST['day'];
 }
 

plugins/calendar/event_create.php

@@ -35,40 +35,53 @@ require_once(SM_PATH . 'functions/html.php');
 
 /* get globals */
 
-if (isset($_POST['year'])) {
-    $year = $_POST['year'];
-}
-elseif (isset($_GET['year'])) {
+// undo rg = on effects
+if (isset($month)) unset($month);
+if (isset($year))  unset($year);
+if (isset($day))  unset($day);
+if (isset($hour))  unset($hour);
+if (isset($minute))  unset($minute);
+if (isset($event_hour))  unset($event_hour);
+if (isset($event_minute))  unset($event_minute);
+if (isset($event_length))  unset($event_length);
+if (isset($event_priority))  unset($event_priority);
+
+
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
     $year = $_GET['year'];
 }
-if (isset($_POST['month'])) {
-    $month = $_POST['month'];
+elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
+    $year = $_POST['year'];
 }
-elseif (isset($_GET['month'])) {
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
     $month = $_GET['month'];
 }
-if (isset($_POST['day'])) {
-    $day = $_POST['day'];
+elseif (isset($_POST['month']) && is_numeric($_POST['month'])) {
+    $month = $_POST['month'];
 }
-elseif (isset($_GET['day'])) {
+if (isset($_GET['day']) && is_numeric($_GET['day'])) {
     $day = $_GET['day'];
 }
-if (isset($_POST['hour'])) {
+elseif (isset($_POST['day']) && is_numeric($_POST['day'])) {
+    $day = $_POST['day'];
+}
+
+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
     $hour = $_POST['hour'];
 }
-elseif (isset($_GET['hour'])) {
+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
     $hour = $_GET['hour'];
 }
-if (isset($_POST['event_hour'])) {
+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
     $event_hour = $_POST['event_hour'];
 }
-if (isset($_POST['event_minute'])) {
+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
     $event_minute = $_POST['event_minute'];
 }
-if (isset($_POST['event_length'])) {
+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
     $event_length = $_POST['event_length'];
 }
-if (isset($_POST['event_priority'])) {
+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
     $event_priority = $_POST['event_priority'];
 }
 if (isset($_POST['event_title'])) {

plugins/calendar/event_edit.php

@@ -34,25 +34,40 @@ require_once(SM_PATH . 'functions/html.php');
 
 /* get globals */
 
+// undo rg = on effects
+if (isset($month)) unset($month);
+if (isset($year))  unset($year);
+if (isset($day))  unset($day);
+if (isset($hour))  unset($hour);
+if (isset($minute))  unset($minute);
+if (isset($event_year))  unset($event_year);
+if (isset($event_month))  unset($event_month);
+if (isset($event_day))  unset($event_day);
+if (isset($event_hour))  unset($event_hour);
+if (isset($event_minute))  unset($event_minute);
+if (isset($event_length))  unset($event_length);
+if (isset($event_priority))  unset($event_priority);
+
 if (isset($_POST['updated'])) {
     $updated = $_POST['updated'];
 }
-if (isset($_POST['event_year'])) {
+
+if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) {
     $event_year = $_POST['event_year'];
 }
-if (isset($_POST['event_month'])) {
+if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) {
     $event_month = $_POST['event_month'];
 }
-if (isset($_POST['event_day'])) {
+if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) {
     $event_day = $_POST['event_day'];
 }
-if (isset($_POST['event_hour'])) {
+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
     $event_hour = $_POST['event_hour'];
 }
-if (isset($_POST['event_minute'])) {
+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
     $event_minute = $_POST['event_minute'];
 }
-if (isset($_POST['event_length'])) {
+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
     $event_length = $_POST['event_length'];
 }
 if (isset($_POST['event_title'])) {
@@ -64,40 +79,37 @@ if (isset($_POST['event_text'])) {
 if (isset($_POST['send'])) {
     $send = $_POST['send'];
 }
-if (isset($_POST['event_priority'])) {
+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
     $event_priority = $_POST['event_priority'];
 }
 if (isset($_POST['confirmed'])) {
     $confirmed = $_POST['confirmed'];
 }
-if (isset($_POST['year'])) {
+
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
     $year = $_POST['year'];
-}
-elseif (isset($_GET['year'])) {
+} elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
     $year = $_GET['year'];
 }
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
     $month = $_POST['month'];
-}
-elseif (isset($_GET['month'])) {
+} elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
     $month = $_GET['month'];
 }
-if (isset($_POST['day'])) {
+if (isset($_POST['day']) && is_numeric($_POST['day'])) {
     $day = $_POST['day'];
-}
-elseif (isset($_GET['day'])) {
+} elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
     $day = $_GET['day'];
 }
-if (isset($_POST['hour'])) {
+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
     $hour = $_POST['hour'];
-}
-elseif (isset($_GET['hour'])) {
+} elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
     $hour = $_GET['hour'];
 }
-if (isset($_POST['minute'])) {
+if (isset($_POST['minute']) && is_numeric($_POST['minute'])) {
     $minute = $_POST['minute'];
 }
-elseif (isset($_GET['minute'])) {
+elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) {
     $minute = $_GET['minute'];
 }
 /* got 'em */

plugins/listcommands/mailout.php

@@ -33,14 +33,6 @@ sqgetGlobalVar('action',  $action,  SQ_GET);
 displayPageHeader($color, $mailbox);
 $fieldsdescr = listcommands_fieldsdescr();
 
-echo html_tag('p', '', 'left' ) .
-    html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
-    html_tag( 'tr',
-            html_tag( 'th', _("Mailinglist") . ': ' . $fieldsdescr[$action], '', $color[9] )
-            ) .
-    html_tag( 'tr' ) .
-    html_tag( 'td', '', 'left' );
-
 switch ( $action ) {
     case 'help':
         $out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below.");
@@ -50,8 +42,20 @@ switch ( $action ) {
         break;
     case 'unsubscribe':
         $out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below.");
+        break;
+    default:
+        error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)), $color);
+        exit;
 }
 
+echo html_tag('p', '', 'left' ) .
+    html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
+    html_tag( 'tr',
+            html_tag( 'th', _("Mailinglist") . ': ' . $fieldsdescr[$action], '', $color[9] )
+            ) .
+    html_tag( 'tr' ) .
+    html_tag( 'td', '', 'left' );
+
 printf($out_string, '"' . htmlspecialchars($send_to) . '"');
 
 echo addForm(SM_PATH . 'src/compose.php', 'post');

plugins/newmail/newmail.php

@@ -19,6 +19,7 @@ define('SM_PATH','../../');
 require_once(SM_PATH . 'include/validate.php');
 
 sqGetGlobalVar('numnew', $numnew, SQ_GET);
+$numnew = (int)$numnew;
 
    displayHtmlHeader( _("New Mail"), '', FALSE );
 

plugins/spamcop/setup.php

@@ -83,7 +83,9 @@ function spamcop_show_link() {
     sqgetGlobalVar('passed_id',    $passed_id,    SQ_FORM);
     sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM);
     sqgetGlobalVar('mailbox',      $mailbox,      SQ_FORM);
-    sqgetGlobalVar('startMessage', $startMessage, SQ_FORM);
+    if ( sqgetGlobalVar('startMessage', $startMessage, SQ_FORM) ) {
+        $startMessage = (int)$startMessage;
+    }
     /* END GLOBALS */
 
     // catch unset passed_ent_id

plugins/squirrelspell/modules/lang_change.mod

@@ -39,7 +39,7 @@ foreach ($use_langs as $lang) {
 if (sizeof($new_langs)>1) {
   $dsp_string = '';
   foreach( $new_langs as $a) {
-    $dsp_string .= _(trim($a)) . ', ';
+    $dsp_string .= _(htmlspecialchars(trim($a))) . ', ';
   }
   // remove last comma and space
   $dsp_string = substr( $dsp_string, 0, -2 );

src/compose.php

@@ -77,7 +77,11 @@ sqgetGlobalVar('draft_id',$draft_id);
 sqgetGlobalVar('ent_num',$ent_num);
 sqgetGlobalVar('saved_draft',$saved_draft);
 sqgetGlobalVar('delete_draft',$delete_draft);
-sqgetGlobalVar('startMessage',$startMessage);
+if ( sqgetGlobalVar('startMessage',$startMessage) ) {
+    $startMessage = (int)$startMessage;
+} else {
+    $startMessage = 1;
+}
 
 /** POST VARS */
 sqgetGlobalVar('sigappend',             $sigappend,             SQ_POST);
@@ -388,7 +392,7 @@ if ($draft) {
                 echo '   <br><br><center><a href="' . $location
                     . '/compose.php?saved_sent=yes&amp;session=' . $composesession . '">'
                     . _("Return") . '</a></center>';
-            }            
+            }
             exit();
         } else {
             if ( !isset($pageheader_sent) || !$pageheader_sent ) {
@@ -399,7 +403,7 @@ if ($draft) {
                     . '/right_main.php?mailbox=' . urlencode($draft_folder)
                     . '&amp;startMessage=1&amp;note=' . urlencode($draft_message) .'">'
                     . _("Return") . '</a></center>';
-            }            
+            }
             exit();
         }
     }

src/right_main.php

@@ -17,6 +17,7 @@
  * Path for SquirrelMail required files.
  * @ignore
  */
+//xdebug_start_profiling();
 define('SM_PATH','../');
 
 /* SquirrelMail required files. */
@@ -292,7 +293,7 @@ if (isset($mail_sent) && $mail_sent == 'yes') {
     $note = _("Your Message has been sent.");
 }
 if (isset($note)) {
-    echo html_tag( 'div', '<b>' . $note .'</b>', 'center' ) . "<br />\n";
+    echo html_tag( 'div', '<b>' . htmlspecialchars($note) .'</b>', 'center' ) . "<br />\n";
 }
 
 if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {
@@ -373,5 +374,8 @@ echo '</body></html>';
 /* add the mailbox to the cache */
 $mailbox_cache[$account.'_'.$aMailbox['NAME']] = $aMailbox;
 sqsession_register($mailbox_cache,'mailbox_cache');
+echo "<br>".__FILE__;
+//xdebug_dump_function_profile(4);
+
 
 ?>

src/search.php

@@ -1387,7 +1387,7 @@ if (isset($aMailbox['FORWARD_SESSION'])) {
 }
 
 if (isset($note)) {
-    echo html_tag( 'div', '<b>' . $note .'</b>', 'center' ) . "<br />\n";
+    echo html_tag( 'div', '<b>' . htmlspecialchars($note) .'</b>', 'center' ) . "<br />\n";
 }