'Re: [SM-CVS] CVS: squirrelmail/src compose.php,1.429,'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-cvs
Subject:    Re: [SM-CVS] CVS: squirrelmail/src compose.php,1.429,
From:       "Tomas Kuliavas" <tokul () users ! sourceforge ! net>
Date:       2005-12-12 9:39:45
Message-ID: 33653.80.243.17.21.1134380385.squirrel () internet ! eik ! lt
[Download RAW message or body]

> On Mon, 2005-12-12 at 09:31 +0200, Tomas Kuliavas wrote:
>
>>> oops, this error was already encoded, so back my r1.366 out, and part
>>> of Tomas' r1.429
>>>
>>>
>>
>> No, it is not.
>>
>>
>> check Deliver_SMTP.class.php and try using html formated string in
>> $this->dlv_msg, $this->dlv_ret_nr or $this->dlv_server_msg
>>
>>
>> http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/class/deliver/De
>> liver_SMTP.class.php?r1=1.13.2.11&r2=1.13.2.12
>>
>> I did sanitizing inside output function, because I thought it was
>> proper place to do sanitizing. Interface should not care about html
>> string safety until those strings are sent to end user.
>>
>> On IRC I've said that it might break things, if delivery backends use
>> html formating. I don't think that delivery backends should use html
>> formating without clear documentation indicating that variables contain
>> formated error messages. If we move to templates, html formating must be
>> removed from delivery classes anyway.
>
> I checked it, I tried to use a folder name with "<" in it, and it was
> encoded twice; whereas when I reverted my and your patch, it displayed just
> fine (encoded once). So there may be some problem somewhere, but the fix
> as it was didn't work.

------------
--- compose.php        8 Dec 2005 18:24:47 -0000        1.429
+++ compose.php        10 Dec 2005 13:57:29 -0000        1.430
@@ -1640,9 +1640,9 @@
     }
     if (!$success) {
         // $deliver->dlv_server_msg is not always server's reply
-        $msg  = htmlspecialchars($deliver->dlv_msg) . '<br />' .
-            _("Server replied:") . ' ' .
htmlspecialchars($deliver->dlv_ret_nr) . '
' .
-            htmlspecialchars($deliver->dlv_server_msg);
+        $msg  = $deliver->dlv_msg . '<br />' .
+            _("Server replied:") . ' ' . $deliver->dlv_ret_nr . ' ' .
+            $deliver->dlv_server_msg;
         plain_error_message($msg, $color);
     } else {
         unset ($deliver);
-------------

You have reverted wrong part of code. These are not used for "Draft folder
does not exists" message.

Just checked. $deliver->dlv_msg, $deliver->dlv_ret_nr and
$deliver->dlv_server_msg is set in three places. One place (errorCheck()
function in SMTP delivery class) sanitizes output. Other two (status check
in sendmail finalizeStream() and TLS errors in SMTP) are not sanitized.

My code broke smtp error messages. Since this is only small formating
sanitizing issue and fsockopen() errors are in plain text, 1.4.6 code can
be kept unchanged.

We should sanitize errors in delivery classes and rewrite code when
templates are introduced or we should sanitize them on output.

-- 
Tomas


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
--
squirrelmail-cvs mailing list
List Address: squirrelmail-cvs@lists.sourceforge.net
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
http://squirrelmail.org/cvs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic