Changeset 218
- Timestamp:
- 10/19/07 23:26:25 (15 months ago)
- Location:
- trunk
- Files:
-
- 9 modified
-
ChangeLog (modified) (1 diff)
-
includes/func.inc.php (modified) (3 diffs)
-
includes/sites/domain_add.php (modified) (2 diffs)
-
includes/sites/domain_view.php (modified) (1 diff)
-
includes/sites/email_add.php (modified) (1 diff)
-
includes/sites/email_view.php (modified) (3 diffs)
-
includes/sites/user_spam.php (modified) (2 diffs)
-
system_scripts/create_mailboxes.pl (modified) (1 diff)
-
templates/error_messages.tpl (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/ChangeLog
r217 r218 3 3 o Fixed: recipient classes VIEW 4 4 o Improved: display mailbox size with units 5 o Improved: fist step to better inputchecks for XSS protection 6 Thanks to Sven Tantau (http://beastiebytes.com) 5 7 CpVES 0.10 2007-10-11 - Jonas Genannt - <jonas.genannt@brachium-system.net> 6 8 o Improved: sa_learn.pl no longer debug output -
trunk/includes/func.inc.php
r217 r218 50 50 } 51 51 52 function domain_valid($domain) { 53 if (preg_match("/^([0-9a-zA-Z\._\-]+)$/", $domain)) { 54 return true; 55 } 56 return false; 57 } 58 59 function clean_input($string) { 60 if (get_magic_quotes_gpc()) { 61 $string=stripslashes($string); 62 } 63 $string=strip_tags($string); 64 return $string; 65 66 } 67 52 68 function get_all_langs() { 53 69 $table_lang = array(); … … 545 561 function email_valid($mail) 546 562 { 547 if (ereg("^([a-zA-Z0-9._ -]+)$", $mail))563 if (ereg("^([a-zA-Z0-9._\-]+)$", $mail)) 548 564 { 549 565 return true; … … 840 856 $msg=stripslashes($msg); 841 857 } 858 $esubject=clean_input($esubject); 859 $msg=clean_input($msg); 842 860 if ($result->numRows()==1) 843 861 { -
trunk/includes/sites/domain_add.php
r165 r218 27 27 $smarty->assign('if_error_domain_exits', 'y'); 28 28 $smarty->assign('dnsname', $_POST['dnsname']); 29 } 30 elseif(!domain_valid($_POST['dnsname'])) { 31 $smarty->assign('error_msg','y'); 32 $smarty->assign('if_error_domain_wrong', 'y'); 29 33 } 30 34 else … … 67 71 $db->escapeSimple($max_email), 68 72 $db->escapeSimple($max_forward), 69 $db->escapeSimple( substr($_POST['dnote'],0,30)),73 $db->escapeSimple(clean_input(substr($_POST['dnote'],0,30)) ), 70 74 $db->escapeSimple($_POST['p_spamassassin']), 71 75 $db->escapeSimple($bogofilter), -
trunk/includes/sites/domain_view.php
r217 r218 147 147 if (isset($_POST['dnote'])) { 148 148 $sql=sprintf("UPDATE domains SET dnote='%s' WHERE id='%d'", 149 $db->escapeSimple( $_POST['dnote']),149 $db->escapeSimple(clean_input(substr($_POST['dnote'],0,30))), 150 150 $db->escapeSimple($_GET['did'])); 151 151 $db->query($sql); -
trunk/includes/sites/email_add.php
r142 r218 131 131 $db->escapeSimple($_GET['did']), 132 132 $db->escapeSimple($cleartext), 133 $db->escapeSimple( $_POST['full_name']),133 $db->escapeSimple(clean_input(trim($_POST['full_name']))), 134 134 $db->escapeSimple($imap), 135 135 $db->escapeSimple($pop3), -
trunk/includes/sites/email_view.php
r208 r218 98 98 $smarty->assign('if_wrong_sa_subjecttag','y'); 99 99 } 100 elseif (!preg_match("/^([0-9A-Za-z*\s\+\.\-_\]\[]+)$/",$_POST['rewrite_subject_header'])) { 101 $smarty->assign('error_msg', 'y'); 102 $smarty->assign('if_illegal_sa_subjecttag','y'); 103 } 100 104 else 101 105 { … … 106 110 elseif ($_POST['rewrite_subject']==1) 107 111 { 108 $rewrite_subject= $_POST['rewrite_subject_header'];112 $rewrite_subject=clean_input(trim($_POST['rewrite_subject_header'])); 109 113 110 114 } … … 587 591 $sql=sprintf("UPDATE users SET passwd='%s', full_name='%s',p_imap='%d', p_pop3='%d',p_webmail='%d', cpasswd='%s', p_forwarding='%s',p_spamassassin='%s',p_mailarchive='%d',p_bogofilter='%d',p_spam_del='%d',p_sa_learn='%d',p_fetchmail='%d',p_webinterface='%d',p_autores_xheader='%d',p_check_polw='%d',p_check_grey='%d',p_spam_fwd='%d' WHERE id='%d' ", 588 592 $db->escapeSimple($cleartext), 589 $db->escapeSimple( $_POST['full_name']),593 $db->escapeSimple(clean_input(trim($_POST['full_name']))), 590 594 $db->escapeSimple($imap), 591 595 $db->escapeSimple($pop3), -
trunk/includes/sites/user_spam.php
r207 r218 51 51 $smarty->assign('if_wrong_sa_subjecttag','y'); 52 52 } 53 elseif (!preg_match("/^([0-9A-Za-z*\s\+\.\-_\]\[]+)$/",$_POST['rewrite_subject_header'])) { 54 $smarty->assign('error_msg', 'y'); 55 $smarty->assign('if_illegal_sa_subjecttag','y'); 56 } 53 57 else 54 58 { … … 59 63 elseif ($_POST['rewrite_subject']==1) 60 64 { 61 $rewrite_subject= $_POST['rewrite_subject_header'];65 $rewrite_subject=clean_input(trim($_POST['rewrite_subject_header'])); 62 66 63 67 } -
trunk/system_scripts/create_mailboxes.pl
r171 r218 66 66 my $id = $data[1]; 67 67 my $emailaddr = $data[0]; 68 die ("Error: emailaddress contains illegal chars!\n") unless ($emailaddr=~m/^([a-zA-Z0-9._\-]+)$/); 69 die ("Error: domainname contains illegal chars!\n") unless ($dnsname=~m/^([a-zA-Z0-9._\-]+)$/); 68 70 if ( ! -d "$config{'vmail_home'}/$dnsname") { 69 71 `mkdir -p $config{'vmail_home'}/$dnsname`; -
trunk/templates/error_messages.tpl
r207 r218 3 3 {elseif $if_error_domain_exits == 'y' } 4 4 {t}domain already exists!{/t} 5 {elseif $if_error_domain_wrong == 'y'} 6 {t}domainname contains illegal characters!{/t} 5 7 {elseif $if_error_email_exits == 'y' } 6 8 {t}emailaddress already exists!{/t} … … 40 42 {elseif $if_new_passwd_not_same == 'y'} 41 43 {t}new passwords does not match!{/t} 44 {elseif $if_illegal_sa_subjecttag == 'y'} 45 {t}subject contains illegal characters!{/t} 42 46 {elseif $if_submit_email_wrong == 'y' } 43 47 {t}emailaddress is not valid!{/t}
