[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-cvs
Subject:    [SM-CVS] SF.net SVN: squirrelmail:[13957]
From:       pdontthink () users ! sourceforge ! net
Date:       2010-06-26 10:15:50
Message-ID: E1OSSQQ-0001p7-3Z () sfp-svn-5 ! v30 ! ch3 ! sourceforge ! com
[Download RAW message or body]

Revision: 13957
          http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13957&view=rev
Author:   pdontthink
Date:     2010-06-26 10:15:49 +0000 (Sat, 26 Jun 2010)

Log Message:
-----------
Aggressive sanitizing of REQUEST_URI, PHP_SELF, and QUERY_STRING corrupted page URIs \
by encoding ampersands in the query string, so we have to un-sanitize ampersands.  \
Will this cause any security/XSS issues?

Modified Paths:
--------------
    trunk/squirrelmail/include/init.php

Modified: trunk/squirrelmail/include/init.php
===================================================================
--- trunk/squirrelmail/include/init.php	2010-06-25 21:31:10 UTC (rev 13956)
+++ trunk/squirrelmail/include/init.php	2010-06-26 10:15:49 UTC (rev 13957)
@@ -275,13 +275,17 @@
  * htmlspecialchars() is the preferred method.
  * QUERY_STRING also needs the same treatment since it is
  * used in php_self().
+ * Update again: the encoding of ampersands that occurs
+ * using htmlspecialchars() corrupts the query strings
+ * in normal URIs, so we have to let those through.
+FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
  */
 if (isset($_SERVER['REQUEST_URI']))
-    $_SERVER['REQUEST_URI'] = htmlspecialchars($_SERVER['REQUEST_URI']);
+    $_SERVER['REQUEST_URI'] = str_replace('&', '&', \
htmlspecialchars($_SERVER['REQUEST_URI']));  if (isset($_SERVER['PHP_SELF']))
-    $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
+    $_SERVER['PHP_SELF'] = str_replace('&', '&', \
htmlspecialchars($_SERVER['PHP_SELF']));  if (isset($_SERVER['QUERY_STRING']))
-    $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
+    $_SERVER['QUERY_STRING'] = str_replace('&', '&', \
htmlspecialchars($_SERVER['QUERY_STRING']));  
 $PHP_SELF = php_self();
 


This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
-----
squirrelmail-cvs mailing list
List address: squirrelmail-cvs@lists.sourceforge.net
List info (subscribe/unsubscribe/change options): \
                https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
Repository: http://squirrelmail.org/svn


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic