From 334475a50bcc97a8c326aadff0dcbb61fad40a4f Mon Sep 17 00:00:00 2001
From: Till Krüss <me@tillkruess.com>
Date: Mon, 10 Feb 2014 11:02:06 -0500
Subject: [PATCH] prevent unwanted code execution via CURLOPT_POSTFIELDS

---
 plugins/password/drivers/domainfactory.php |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/password/drivers/domainfactory.php b/plugins/password/drivers/domainfactory.php
index e253faa..6e12198 100644
--- a/plugins/password/drivers/domainfactory.php
+++ b/plugins/password/drivers/domainfactory.php
@@ -29,11 +29,11 @@
 				CURLOPT_RETURNTRANSFER => true,
 				CURLOPT_URL => 'https://ssl.df.eu/chmail.php',
 				CURLOPT_POST => true,
-				CURLOPT_POSTFIELDS => array(
+				CURLOPT_POSTFIELDS => http_build_query(array(
 					'login' => $rcmail->user->get_username(),
 					'pwd' => $curpass,
 					'action' => 'change'
-				)
+				))
 			));
 
 			if ($result = curl_exec($ch)) {

--
Gitblit v1.9.1