Fix for URL injection vulnerability (Bug #1307966)
| | |
|---|
| | | } |
|---|
| | | |
|---|
| | | |
|---|
| | | // parse main template |
|---|
| | | parse_template($_task); |
|---|
| | | // only allow these templates to be included |
|---|
| | | $valid_tasks = array('mail','settings','addressbook'); |
|---|
| | | |
|---|
| | | // parse main template |
|---|
| | | if (in_array($_task, $valid_tasks)) |
|---|
| | | parse_template($_task); |
|---|
| | | |
|---|
| | | |
|---|
| | | // if we arrive here, something went wrong |
|---|
| | | raise_error(array('code' => 404, |
|---|
| | | 'type' => 'php', |
|---|
| | | 'line' => __LINE__, |
|---|
| | | 'file' => __FILE__, |
|---|
| | | 'message' => "Invalid request"), TRUE, TRUE); |
|---|
| | | |
|---|
| | | ?> |
|---|
| | |
|---|
| | | else if ($ERROR_CODE==404) |
|---|
| | | { |
|---|
| | | $__error_title = "REQUEST FAILED/FILE NOT FOUND"; |
|---|
| | | $request_url = $GLOBALS['HTTP_HOST'].$GLOBALS['REQUEST_URI']; |
|---|
| | | $request_url = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; |
|---|
| | | $__error_text = <<<EOF |
|---|
| | | The requested page was not found!<br /> |
|---|
| | | Please contact your server-administrator. |
|---|
