From b3ce7915610a6d272cc38ecd2a8b61e04ee4aeae Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 16 Feb 2007 14:35:03 -0500
Subject: [PATCH] Better input checking on GET and POST vars

---
 program/steps/mail/list.inc                |    4 -
 program/steps/settings/delete_identity.inc |    6 +--
 program/include/main.inc                   |    4 +-
 program/steps/mail/folders.inc             |    8 ++--
 program/steps/mail/func.inc                |   10 ++--
 program/steps/mail/show.inc                |    2 
 program/steps/mail/mark.inc                |    6 +-
 program/steps/settings/manage_folders.inc  |   12 +++---
 program/steps/mail/move_del.inc            |   19 +++++----
 9 files changed, 34 insertions(+), 37 deletions(-)

diff --git a/program/include/main.inc b/program/include/main.inc
index d914e3e..88c22b8 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -1689,12 +1689,12 @@
 function parse_attrib_string($str)
   {
   $attrib = array();
-  preg_match_all('/\s*([-_a-z]+)=["]([^"]+)["]?/i', stripslashes($str), $regs, PREG_SET_ORDER);
+  preg_match_all('/\s*([-_a-z]+)=(["\'])([^"]+)\2/Ui', stripslashes($str), $regs, PREG_SET_ORDER);
 
   // convert attributes to an associative array (name => value)
   if ($regs)
     foreach ($regs as $attr)
-      $attrib[strtolower($attr[1])] = $attr[2];
+      $attrib[strtolower($attr[1])] = $attr[3];
 
   return $attrib;
   }
diff --git a/program/steps/mail/folders.inc b/program/steps/mail/folders.inc
index 2d16032..1b7007c 100644
--- a/program/steps/mail/folders.inc
+++ b/program/steps/mail/folders.inc
@@ -25,10 +25,10 @@
 // send EXPUNGE command
 if ($_action=='expunge')
   {
-  $success = $IMAP->expunge($_GET['_mbox']);
+  $success = $IMAP->expunge(get_input_value('_mbox', RCUBE_INPUT_GET));
 
   // reload message list if current mailbox  
-  if ($success && $_GET['_reload'])
+  if ($success && !empty($_GET['_reload']))
     {
     rcube_remote_response('this.message_list.clear();', TRUE);
     $_action = 'list';
@@ -41,9 +41,9 @@
 // clear mailbox
 else if ($_action=='purge')
   {
-  $success = $IMAP->clear_mailbox($_GET['_mbox']);
+  $success = $IMAP->clear_mailbox(get_input_value('_mbox', RCUBE_INPUT_GET));
   
-  if ($success && $_GET['_reload'])
+  if ($success && !empty($_GET['_reload']))
     {
     $commands = "this.message_list.clear();\n";
     $commands .= "this.set_env('messagecount', 0);\n";
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 037e83f..ec257b6 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -30,16 +30,16 @@
 }
 
 // set imap properties and session vars
-if (strlen($mbox = get_input_value('_mbox', RCUBE_INPUT_GET)))
+if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GPC))
   {
   $IMAP->set_mailbox($mbox);
   $_SESSION['mbox'] = $mbox;
   }
 
-if (strlen($_GET['_page']))
+if (!empty($_GET['_page']))
   {
-  $IMAP->set_page($_GET['_page']);
-  $_SESSION['page'] = $_GET['_page'];
+  $IMAP->set_page((int)$_GET['_page']);
+  $_SESSION['page'] = (int)$_GET['_page'];
   }
 
 // set mailbox to INBOX if not set
@@ -59,7 +59,7 @@
 
 // define url for getting message parts
 if (strlen($_GET['_uid']))
-  $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, $IMAP->get_mailbox_name(), $_GET['_uid']);
+  $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, $IMAP->get_mailbox_name(), get_input_value('_uid', RCUBE_INPUT_GET));
 
 
 // set current mailbox in client environment
diff --git a/program/steps/mail/list.inc b/program/steps/mail/list.inc
index 9e3b38d..6e06374 100644
--- a/program/steps/mail/list.inc
+++ b/program/steps/mail/list.inc
@@ -22,10 +22,8 @@
 $REMOTE_REQUEST = TRUE;
 $OUTPUT_TYPE = 'js';
 
-$sort = isset($_GET['_sort']) ? $_GET['_sort'] : false;
-
 // is there a sort type for this request?
-if ($sort)
+if ($sort = get_input_value('_sort', RCUBE_INPUT_GET))
   {
   // yes, so set the sort vars
   list($sort_col, $sort_order) = explode('_', $sort);
diff --git a/program/steps/mail/mark.inc b/program/steps/mail/mark.inc
index e6e06f9..780bf5c 100644
--- a/program/steps/mail/mark.inc
+++ b/program/steps/mail/mark.inc
@@ -25,10 +25,10 @@
                      'read' => 'SEEN',
                      'unread' => 'UNSEEN');
 
-if ($_GET['_uid'] && $_GET['_flag'])
+if (($uids = get_input_value('_uid', RCUBE_INPUT_GET)) && ($flag = get_input_value('_flag', RCUBE_INPUT_GET)))
   {
-  $flag = $a_flags_map[$_GET['_flag']] ? $a_flags_map[$_GET['_flag']] : strtoupper($_GET['_flag']);
-  $marked = $IMAP->set_flag($_GET['_uid'], $flag);
+  $flag = $a_flags_map[$flag] ? $a_flags_map[$flag] : strtoupper($flag);
+  $marked = $IMAP->set_flag($uids, $flag);
   if ($marked != -1)
     {
     $mbox_name = $IMAP->get_mailbox_name();
diff --git a/program/steps/mail/move_del.inc b/program/steps/mail/move_del.inc
index b0079f7..8d31e3a 100644
--- a/program/steps/mail/move_del.inc
+++ b/program/steps/mail/move_del.inc
@@ -22,10 +22,11 @@
 $REMOTE_REQUEST = TRUE;
 
 // move messages
-if ($_action=='moveto' && $_GET['_uid'] && $_GET['_target_mbox'])
+if ($_action=='moveto' && !empty($_GET['_uid']) && !empty($_GET['_target_mbox']))
   {
-  $count = sizeof(explode(',', $_GET['_uid']));
-  $moved = $IMAP->move_message($_GET['_uid'], $_GET['_target_mbox'], $_GET['_mbox']);
+  $count = sizeof(explode(',', ($uids = get_input_value('_uid', RCUBE_INPUT_GET))));
+  $target = get_input_value('_target_mbox', RCUBE_INPUT_GET);
+  $moved = $IMAP->move_message($uids, $target, get_input_value('_mbox', RCUBE_INPUT_GET));
   
   if (!$moved)
     {
@@ -38,10 +39,10 @@
   }
 
 // delete messages 
-else if ($_action=='delete' && $_GET['_uid'])
+else if ($_action=='delete' && !empty($_GET['_uid']))
   {
-  $count = sizeof(explode(',', $_GET['_uid']));
-  $del = $IMAP->delete_message($_GET['_uid'], $_GET['_mbox']);
+  $count = sizeof(explode(',', ($uids = get_input_value('_uid', RCUBE_INPUT_GET))));
+  $del = $IMAP->delete_message($uids, get_input_value('_mbox', RCUBE_INPUT_GET));
   
   if (!$del)
     {
@@ -60,7 +61,7 @@
   }
 
 // refresh saved seach set after moving some messages
-if (($search_request = $_GET['_search']) && $IMAP->search_set)
+if (($search_request = get_input_value('_search', RCUBE_INPUT_GPC)) && $IMAP->search_set)
   $_SESSION['search'][$search_request] = $IMAP->refresh_search();
 
 
@@ -75,8 +76,8 @@
 $mbox = $IMAP->get_mailbox_name();
 $commands .= sprintf("this.set_unread_count('%s', %d);\n", $mbox, $IMAP->messagecount($mbox, 'UNSEEN'));
 
-if ($_action=='moveto')
-  $commands .= sprintf("this.set_unread_count('%s', %d);\n", $_GET['_target_mbox'], $IMAP->messagecount($_GET['_target_mbox'], 'UNSEEN'));
+if ($_action=='moveto' && $target)
+  $commands .= sprintf("this.set_unread_count('%s', %d);\n", $target, $IMAP->messagecount($target, 'UNSEEN'));
 
 $commands .= sprintf("this.set_quota('%s');\n", $IMAP->get_quota()); 
 
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index b1fa7cf..841a41b 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -64,7 +64,7 @@
 
   // mark message as read
   if (!$MESSAGE['headers']->seen && $_action != 'preview')
-    $IMAP->set_flag($_GET['_uid'], 'SEEN');
+    $IMAP->set_flag($MESSAGE['UID'], 'SEEN');
 
   // give message uid to the client
   $javascript = sprintf("%s.set_env('uid', '%s');\n", $JS_OBJECT_NAME, $MESSAGE['UID']);
diff --git a/program/steps/settings/delete_identity.inc b/program/steps/settings/delete_identity.inc
index 24bf99c..560a2b1 100644
--- a/program/steps/settings/delete_identity.inc
+++ b/program/steps/settings/delete_identity.inc
@@ -19,14 +19,12 @@
 
 */
 
-$REMOTE_REQUEST = $_GET['_remote'] ? TRUE : FALSE;
-
-if ($_GET['_iid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_iid']))
+if (($ids = get_input_value('_iid', RCUBE_INPUT_GET)) && preg_match('/^[0-9]+(,[0-9]+)*$/', $ids))
   {
   $DB->query("UPDATE ".get_table_name('identities')."
               SET    del=1
               WHERE  user_id=?
-              AND    identity_id IN (".$_GET['_iid'].")",
+              AND    identity_id IN (".$ids.")",
               $_SESSION['user_id']);
 
   $count = $DB->affected_rows();
diff --git a/program/steps/settings/manage_folders.inc b/program/steps/settings/manage_folders.inc
index 8abd2c3..4759dd2 100644
--- a/program/steps/settings/manage_folders.inc
+++ b/program/steps/settings/manage_folders.inc
@@ -26,8 +26,8 @@
 // subscribe to one or more mailboxes
 if ($_action=='subscribe')
   {
-  if (strlen($_GET['_mboxes']))
-    $IMAP->subscribe(array($_GET['_mboxes']));
+  if ($mboxes = get_input_value('_mboxes', RCUBE_INPUT_GET))
+    $IMAP->subscribe(array($mboxes));
 
   if ($REMOTE_REQUEST)
     rcube_remote_response('// subscribed');
@@ -36,8 +36,8 @@
 // unsubscribe one or more mailboxes
 else if ($_action=='unsubscribe')
   {
-  if (strlen($_GET['_mboxes']))
-    $IMAP->unsubscribe(array($_GET['_mboxes']));
+  if ($mboxes = get_input_value('_mboxes', RCUBE_INPUT_GET))
+    $IMAP->unsubscribe(array($mboxes));
 
   if ($REMOTE_REQUEST)
     rcube_remote_response('// unsubscribed');
@@ -95,8 +95,8 @@
 // delete an existing IMAP mailbox
 else if ($_action=='delete-folder')
   {
-  if (!empty($_GET['_mboxes']))
-    $deleted = $IMAP->delete_mailbox(array(get_input_value('_mboxes', RCUBE_INPUT_GET)));
+  if (get_input_value('_mboxes', RCUBE_INPUT_GET))
+    $deleted = $IMAP->delete_mailbox(array($mboxes));
 
   if ($REMOTE_REQUEST && $deleted)
     {

--
Gitblit v1.9.1