14 years ago · e61d33ae49
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -362,6 +362,9 @@ Version 1.5.2 - SVN
 
				     to config_local.php.
			
 
				   - Added clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen
			
 
				     for bringing this to our attention). [CVE-2010-4554]
			
 
				+  - Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell
			
 
				+    plugin, and added anti-CSRF protection to the empty trash feature (thanks
			
 
				+    to Nicholas Carlini for finding all these issues). [CVE-2010-4555]
			
 
				 
			
 
				 Version 1.5.1 (branched on 2006-02-12)
			
 
				 --------------------------------------
			
--- a/functions/options.php
+++ b/functions/options.php
@@ -831,6 +831,21 @@ function save_option($option) {
 
				         return;
			
 
				     }
			
 
				 
			
 
				+    // if the widget is a selection list, make sure the new
			
 
				+    // value is actually in the selection list and is not an
			
 
				+    // injection attack
			
 
				+    //
			
 
				+    if ($option->type == SMOPT_TYPE_STRLIST
			
 
				+     && !array_key_exists($option->new_value, $option->possible_values))
			
 
				+        return;
			
 
				+
			
 
				+
			
 
				+    // all other widgets except TEXTAREAs should never be allowed to have newlines
			
 
				+    //
			
 
				+    else if ($option->type != SMOPT_TYPE_TEXTAREA)
			
 
				+        $option->new_value = str_replace(array("\r", "\n"), '', $option->new_value);
			
 
				+
			
 
				+
			
 
				     global $data_dir;
			
 
				 
			
 
				     // edit lists: first add new elements to list, then
			
--- a/plugins/squirrelspell/modules/check_me.mod
+++ b/plugins/squirrelspell/modules/check_me.mod
@@ -183,7 +183,7 @@ if ($errors){
 
				   for ($i=0; $i<sizeof($sqspell_lines); $i++){
			
 
				     // use addcslashes for compatibility with magic_quotes_sybase
			
 
				     $extrajs.= "sqspell_lines[$i] = \""
			
 
				-      . chop(addcslashes($sqspell_lines[$i], "'\"\\\x0")) . "\";\n";
			
 
				+      . chop(addcslashes($sqspell_lines[$i], ">'\"\\\x0")) . "\";\n";
			
 
				   }
			
 
				   $extrajs.= "\n\n";
			
 
				 
			
--- a/src/empty_trash.php
+++ b/src/empty_trash.php
@@ -30,6 +30,10 @@ sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION);
 
				 
			
 
				 /* finished globals */
			
 
				 
			
 
				+// first do a security check
			
 
				+sqgetGlobalVar('smtoken', $submitted_token, SQ_GET, '');
			
 
				+sm_validate_security_token($submitted_token, 3600, TRUE);
			
 
				+
			
 
				 $imap_stream = sqimap_login($username, false, $imapServerAddress, $imapPort, 0);
			
 
				 
			
 
				 $mailbox = $trash_folder;
			
--- a/templates/default/left_main.tpl
+++ b/templates/default/left_main.tpl
@@ -196,7 +196,7 @@ function buildMailboxTree ($box, $settings, $icon_theme_path, $indent_factor=0)
 
				                 $end .= '&nbsp;<small>('.$unseen_str.')</small>';
			
 
				             }
			
 
				             $end .= "\n<small>" .
			
 
				-                    '&nbsp;&nbsp;[<a href="empty_trash.php">'. _("Purge").'</a>]' .
			
 
				+                    '&nbsp;&nbsp;[<a href="empty_trash.php?smtoken=' . sm_generate_security_token() . '">'. _("Purge").'</a>]' .
			
 
				                     '</small>';
			
 
				         }
			
 
				     } else {
			
--- a/templates/default_advanced/left_main.tpl
+++ b/templates/default_advanced/left_main.tpl
@@ -305,7 +305,7 @@ extract($t);
 
				 <?php
			
 
				 if ($settings['messageRecyclingEnabled']) {
			
 
				     echo '<br />';
			
 
				-    echo '<a href="empty_trash.php"';
			
 
				+    echo '<a href="empty_trash.php?smtoken=' . sm_generate_security_token() . '"';
			
 
				     if ($accesskey_folders_purge_trash != 'NONE')
			
 
				         echo ' accesskey="' . $accesskey_folders_purge_trash . '"';
			
 
				     echo '>' . _("Purge Trash") . '</a>';