From b782815dacda55eee6793249b5da1789256206fc Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 30 May 2015 11:37:06 -0400
Subject: [PATCH] Fix XSS vulnerability in _mbox argument handling (#1490417)

---
 CHANGELOG                  |    1 +
 program/include/rcmail.php |    2 +-
 2 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index c858493..6090318 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -39,6 +39,7 @@
 - Fix potential info disclosure issue by protecting directory access (#1490378)
 - Fix blank image in html_signature when saving identity changes (#1490412)
 - Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)
+- Fix XSS vulnerability in _mbox argument handling (#1490417)
 
 RELEASE 1.1.1
 -------------
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index e3e45e2..490e836 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -1822,7 +1822,7 @@
             }
             else {
                 $error = 'servererrormsg';
-                $args  = array('msg' => $err_str);
+                $args  = array('msg' => rcube::Q($err_str));
             }
         }
         else if ($err_code < 0) {

--
Gitblit v1.9.1