[Tickets #7926] Re: Message option "Show All Headers" causes error

bugs at horde.org bugs at horde.org
Tue Feb 3 03:35:19 UTC 2009 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/7926
------------------------------------------------------------------------------
  Ticket             | 7926
  Updated By         | Michael Slusarz <slusarz at horde.org>
  Summary            | Message option "Show All Headers" causes error
  Queue              | IMP
  Version            | 4.3.3
  Type               | Bug
  State              | Assigned
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             | Horde Developers, Michael Slusarz, Chuck Hagenbuch
------------------------------------------------------------------------------


Michael Slusarz <slusarz at horde.org> (2009-02-02 22:35) wrote:

> The show-header-action urls are htmlencoded twice. I think this is
> happening in the Util::removeParameter() call not correctly
> determining whether the url is already encoded.

No - that's not it.  The problem is that the URL, when generated, is  
htmlencoded and the & separator is also htmlencoded.  Then, for some  
reason, we are calling htmlspecialchars() again when injecting into  
the template object.

So I guess I don't understand what this commit is trying to protect against:

-----

   fix some unescaped output

   Revision     Changes    Path
   1.699.2.375  +2 -0      imp/docs/CHANGES
   2.560.4.58   +6 -6      imp/message.php
   2.79.6.19    +3 -3      imp/pgp.php
   2.48.4.14    +3 -3      imp/smime.php

   Chora Links:
    
http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.374&r2=1.699.2.375&ty=u
    
http://cvs.horde.org/diff.php/imp/message.php?rt=horde&r1=2.560.4.57&r2=2.560.4.58&ty=u
    
http://cvs.horde.org/diff.php/imp/pgp.php?rt=horde&r1=2.79.6.18&r2=2.79.6.19&ty=u
    
http://cvs.horde.org/diff.php/imp/smime.php?rt=horde&r1=2.48.4.13&r2=2.48.4.14&ty=u

-----

Removing those htmlspecialchars() calls fixes things.  This is *not*  
the false positive security vulnerability that Gunnar reported  
(QUERY_STRING data is irrelevant for purposes of Horde_Template  
evaluation).

Sorry if I didn't catch this previously - I've been up in the  
mountains a bunch the past few weeks and haven't had a bunch of time  
to peruse list traffic.

More information about the bugs mailing list