Fix for URL injection vulnerability (Bug #1307966)
| | |
| | | } |
| | | |
| | | |
| | | // parse main template |
| | | parse_template($_task); |
| | | // only allow these templates to be included |
| | | $valid_tasks = array('mail','settings','addressbook'); |
| | | |
| | | // parse main template |
| | | if (in_array($_task, $valid_tasks)) |
| | | parse_template($_task); |
| | | |
| | | |
| | | // if we arrive here, something went wrong |
| | | raise_error(array('code' => 404, |
| | | 'type' => 'php', |
| | | 'line' => __LINE__, |
| | | 'file' => __FILE__, |
| | | 'message' => "Invalid request"), TRUE, TRUE); |
| | | |
| | | ?> |
| | |
| | | else if ($ERROR_CODE==404) |
| | | { |
| | | $__error_title = "REQUEST FAILED/FILE NOT FOUND"; |
| | | $request_url = $GLOBALS['HTTP_HOST'].$GLOBALS['REQUEST_URI']; |
| | | $request_url = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; |
| | | $__error_text = <<<EOF |
| | | The requested page was not found!<br /> |
| | | Please contact your server-administrator. |