From 03f85589f8ead7fd00d68e9ed74b32222bbe1539 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Tue, 04 Apr 2006 17:42:54 -0400
Subject: [PATCH] Strip tags on _auth, _action, _task parameters

---
 index.php |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/index.php b/index.php
index 8a98af6..9bc0e63 100644
--- a/index.php
+++ b/index.php
@@ -2,7 +2,7 @@
 /*
  +-----------------------------------------------------------------------+
  | RoundCube Webmail IMAP Client                                         |
- | Version 0.1-20060320                                                  |
+ | Version 0.1-20060402                                                  |
  |                                                                       |
  | Copyright (C) 2005, RoundCube Dev. - Switzerland                      |
  | Licensed under the GNU GPL                                            |
@@ -40,7 +40,7 @@
 
 */
 
-define('RCMAIL_VERSION', '0.1-20060320');
+define('RCMAIL_VERSION', '0.1-20060402');
 
 
 // define global vars
@@ -84,11 +84,14 @@
 
 
 // catch some url/post parameters
-$_auth = !empty($_POST['_auth']) ? $_POST['_auth'] : $_GET['_auth'];
-$_task = !empty($_POST['_task']) ? $_POST['_task'] : (!empty($_GET['_task']) ? $_GET['_task'] : 'mail');
-$_action = !empty($_POST['_action']) ? $_POST['_action'] : (!empty($_GET['_action']) ? $_GET['_action'] : '');
+$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
+$_task = get_input_value('_task', RCUBE_INPUT_GPC);
+$_action = get_input_value('_action', RCUBE_INPUT_GPC);
 $_framed = (!empty($_GET['_framed']) || !empty($_POST['_framed']));
 
+if (empty($_task))
+  $_task = 'mail';
+
 if (!empty($_GET['_remote']))
   $REMOTE_REQUEST = TRUE;
 

--
Gitblit v1.9.1