File postfixadmin-upstream-fixes-r1802-1817.diff of Package postfixadmin
------------------------------------------------------------------------
r1809 | christian_boltz | 2015-10-02 19:45:16 +0200 (Fr, 02. Okt 2015) | 8 Zeilen
functions.inc.php:
- gen_show_status(): escape mail addresses in query.
Fixes https://sourceforge.net/p/postfixadmin/bugs/356/
(mostly - the edit/delete/... links in list-virtual are double-escaped)
In theory this could allow SQL injection, in practise the mail address
regex limits this issue to a DOS (creating a mail address with ' caused
an invalid query that broke list-virtual)
------------------------------------------------------------------------
r1811 | christian_boltz | 2015-10-02 20:52:17 +0200 (Fr, 02. Okt 2015) | 4 Zeilen
list-virtual_alias_domain:
- also assign RAW_items (from $RAW_tAliasDomains)
------------------------------------------------------------------------
r1812 | christian_boltz | 2015-10-03 10:58:21 +0200 (Sa, 03. Okt 2015) | 10 Zeilen
list.tpl:
- base edit, editactive and delete links on $RAW_item to avoid double
escaping ($items is already html-escaped, and we url-escape it for
links). This fixes the remaining part of
http://sourceforge.net/p/postfixadmin/bugs/356/
- simplify displaying "html" fields by using $RAW_item. This also fixes
problems with funny[tm] item names that differ when html-encoded (like
the ' char)
------------------------------------------------------------------------
Index: functions.inc.php
===================================================================
--- functions.inc.php (Revision 1802)
+++ functions.inc.php (Revision 1817)
@@ -1755,9 +1755,9 @@
list(/*NULL*/,$stat_domain) = explode('@',$g);
$stat_delimiter = "";
if (!empty($CONF['recipient_delimiter'])) {
- $stat_delimiter = "OR address = '" . preg_replace($delimiter_regex, "@", $g) . "'";
+ $stat_delimiter = "OR address = '" . escape_string(preg_replace($delimiter_regex, "@", $g)) . "'";
}
- $stat_result = db_query ("SELECT address FROM $table_alias WHERE address = '$g' OR address = '@$stat_domain' $stat_delimiter");
+ $stat_result = db_query ("SELECT address FROM $table_alias WHERE address = '" . escape_string($g) . "' OR address = '@" . escape_string($stat_domain) . "' $stat_delimiter");
if ($stat_result['rows'] == 0) {
$stat_ok = 0;
}
Index: templates/list-virtual_alias_domain.tpl
===================================================================
--- templates/list-virtual_alias_domain.tpl (Revision 1802)
+++ templates/list-virtual_alias_domain.tpl (Revision 1817)
@@ -6,4 +6,6 @@
{assign var="id_field" value=$msg.id_field}
{assign var="formconf" value=$aliasdomain_data.formconf}
{assign var="items" value=$tAliasDomains}
+{assign var="RAW_items" value=$RAW_tAliasDomains}
+
{include 'list.tpl'}
Index: templates/list.tpl
===================================================================
--- templates/list.tpl (Revision 1802)
+++ templates/list.tpl (Revision 1817)
@@ -51,7 +51,8 @@
<td> </td>
</tr>
-{foreach from=$items item=item}
+{foreach from=$RAW_items item=RAW_item}
+ {assign "item" $items.{$RAW_item.$id_field|escape:"html"}} {* array keys in $items are html-escaped *}
{#tr_hilightoff#}
{foreach key=key item=field from=$struct}
@@ -77,7 +78,7 @@
*}
{elseif $key == 'active'}
{if $item._can_edit}
- <a href="{#url_editactive#}{$table}&id={$item.$id_field|escape:"url"}&active={if ($item.active==0)}1{else}0{/if}&token={$smarty.session.PFA_token|escape:"url"}">{$item._active}</a>
+ <a href="{#url_editactive#}{$table}&id={$RAW_item.$id_field|escape:"url"}&active={if ($item.active==0)}1{else}0{/if}&token={$smarty.session.PFA_token|escape:"url"}">{$item._active}</a>
{else}
{$item._active}
{/if}
@@ -109,7 +110,7 @@
{elseif $field.type == 'txtl'}
{foreach key=key2 item=field2 from=$item.$key}{$field2}<br> {/foreach}
{elseif $field.type == 'html'}
- {$RAW_items.{$item.{$msg.id_field}}.$key}
+ {$RAW_item.$key}
{else}
{$linktext}
{/if}
@@ -118,8 +119,8 @@
{/if}
{/foreach}
- <td>{if $item._can_edit}<a href="edit.php?table={$table|escape:"url"}&edit={$item.$id_field|escape:"url"}">{$PALANG.edit}</a>{else} {/if}</td>
- <td>{if $item._can_delete}<a href="{#url_delete#}?table={$table}&delete={$item.$id_field|escape:"url"}&token={$smarty.session.PFA_token|escape:"url"}"
+ <td>{if $item._can_edit}<a href="edit.php?table={$table|escape:"url"}&edit={$RAW_item.$id_field|escape:"url"}">{$PALANG.edit}</a>{else} {/if}</td>
+ <td>{if $item._can_delete}<a href="{#url_delete#}?table={$table}&delete={$RAW_item.$id_field|escape:"url"}&token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm ('{$PALANG.{$msg.confirm_delete}|replace:'%s':$item.$id_field}')">{$PALANG.del}</a>{else} {/if}</td>
</tr>
{/foreach}
