Fix XSS holes in generic options inputs, XSS hole in the SquirrelSpell plugin, and added anti-CSRF protection to the empty trash feature (thanks to Nicholas Carlini for finding all these issues) [CVE-2010-4555]

doc/ChangeLog

@@ -362,6 +362,9 @@ Version 1.5.2 - SVN
     to config_local.php.
   - Added clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen
     for bringing this to our attention). [CVE-2010-4554]
+  - Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell
+    plugin, and added anti-CSRF protection to the empty trash feature (thanks
+    to Nicholas Carlini for finding all these issues). [CVE-2010-4555]
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------

functions/options.php

@@ -831,6 +831,21 @@ function save_option($option) {
         return;
     }
 
+    // if the widget is a selection list, make sure the new
+    // value is actually in the selection list and is not an
+    // injection attack
+    //
+    if ($option->type == SMOPT_TYPE_STRLIST
+     && !array_key_exists($option->new_value, $option->possible_values))
+        return;
+
+
+    // all other widgets except TEXTAREAs should never be allowed to have newlines
+    //
+    else if ($option->type != SMOPT_TYPE_TEXTAREA)
+        $option->new_value = str_replace(array("\r", "\n"), '', $option->new_value);
+
+
     global $data_dir;
 
     // edit lists: first add new elements to list, then

plugins/squirrelspell/modules/check_me.mod

@@ -183,7 +183,7 @@ if ($errors){
   for ($i=0; $i<sizeof($sqspell_lines); $i++){
     // use addcslashes for compatibility with magic_quotes_sybase
     $extrajs.= "sqspell_lines[$i] = \""
-      . chop(addcslashes($sqspell_lines[$i], "'\"\\\x0")) . "\";\n";
+      . chop(addcslashes($sqspell_lines[$i], ">'\"\\\x0")) . "\";\n";
   }
   $extrajs.= "\n\n";
 

src/empty_trash.php

@@ -30,6 +30,10 @@ sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION);
 
 /* finished globals */
 
+// first do a security check
+sqgetGlobalVar('smtoken', $submitted_token, SQ_GET, '');
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
 $imap_stream = sqimap_login($username, false, $imapServerAddress, $imapPort, 0);
 
 $mailbox = $trash_folder;

templates/default/left_main.tpl

@@ -196,7 +196,7 @@ function buildMailboxTree ($box, $settings, $icon_theme_path, $indent_factor=0)
                 $end .= '&nbsp;<small>('.$unseen_str.')</small>';
             }
             $end .= "\n<small>" .
-                    '&nbsp;&nbsp;[<a href="empty_trash.php">'. _("Purge").'</a>]' .
+                    '&nbsp;&nbsp;[<a href="empty_trash.php?smtoken=' . sm_generate_security_token() . '">'. _("Purge").'</a>]' .
                     '</small>';
         }
     } else {

templates/default_advanced/left_main.tpl

@@ -305,7 +305,7 @@ extract($t);
 <?php
 if ($settings['messageRecyclingEnabled']) {
     echo '<br />';
-    echo '<a href="empty_trash.php"';
+    echo '<a href="empty_trash.php?smtoken=' . sm_generate_security_token() . '"';
     if ($accesskey_folders_purge_trash != 'NONE')
         echo ' accesskey="' . $accesskey_folders_purge_trash . '"';
     echo '>' . _("Purge Trash") . '</a>';