[dev] patch against Turba HEAD to fix styles issue

Jan Schneider jan@horde.org
Tue, 19 Mar 2002 12:38:39 +0100


Zitat von Ronnie Garcia <ronnie@mk2.net>:

>   This one fixes ListView::display witch was loading html.php
>   It does now check for prefs settings and attempts to load the right 
> stylesheet if present.

Committed, thanks.

Jan.

--
http://www.horde.org - The Horde Project
http://www.ammma.de - discover your knowledge
http://www.tip4all.de - Deine private Tippgemeinschaft


>From nuno@eth.pt Date: 19 Mar 2002 11:49:38 +0000
Return-Path: <nuno@co.eth.pt>
Mailing-List: contact dev-help@lists.horde.org; run by ezmlm
Delivered-To: mailing list dev@lists.horde.org
Received: (qmail 87686 invoked from network); 19 Mar 2002 11:50:04 -0000
Received: from hq.eth.pt (root@194.65.84.1)
  by clark.horde.org with SMTP; 19 Mar 2002 11:50:04 -0000
Received: from dev.hq.eth.pt (dev.hq.eth.pt [10.1.1.10])
	by hq.eth.pt (8.11.6/8.11.6) with ESMTP id g2JBo2114367
	for <dev@lists.horde.org>; Tue, 19 Mar 2002 11:50:02 GMT
From: Nuno Loureiro <nuno@eth.pt>
To: dev@lists.horde.org
In-Reply-To: <1016487381.1129.393.camel@dev.hq.eth.pt>
References: <1016487381.1129.393.camel@dev.hq.eth.pt>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Mailer: Evolution/1.0.2 
Date: 19 Mar 2002 11:49:38 +0000
Message-Id: <1016538578.1452.74.camel@dev.hq.eth.pt>
Mime-Version: 1.0
Subject: Re: [dev] cross site scripting bugs

As I said on my last email, on a footenote, I post a second patch for
RELENG, to avoid changing a function (because chuck told me to and he's
right). So, there are more variables with the same problem not covered
by my patch.

I'll comment some stuff I said previously that is not according to the
patch I submitted and present a new patch that covers all bugs of this
kind (I hope :>).

On Mon, 2002-03-18 at 21:36, Nuno Loureiro wrote:

> --------- horde/imp/mailbox.php:=20
>=20
>   Var $page is printed clearly in
> horde/imp/templates/mailbox/{message_footers,navbar}.inc, so you can
> change its content and run JS code. Var $mailbox suffers the same problem=
 in horde/imp/templates/mailbox
>=20
>   Fix: add $page =3D Horde::getFormData('page') in mailbox.php

This, actually doesn't fix it. You need to htmlspecialchars() it.
There are more variables with this problem like $mailbox.

The problem with $mailbox is that it doesn't output directly. It outputs
through $imp['label'] and it's part of $page_title.

To fix this, you need to htmlspecialchar() those variables in
horde/imp/templates/{commmon-header,common-footer}.inc and
horde/imp/templates/mailbox/header.inc.

> --------- horde/imp/compose.php:  =20
>=20
>   Vars $references and $in_reply_to, found in spell check (actionID=3D131=
)
> have the same problem in horde/imp/templates/compose/spelling.inc.
>=20
>  Fix: htmlspecialchars($reference) and htmlspecialchars($in_reply_to) in
> spelling.inc

It's not enought. There are more variables with the same problem. These
are $mailbox, $index, $array_index, $changeall, $identity and $from.

Don't forget that $mailbox doesn't output directly. In this case, it
outputs through $imp['mailbox'].

You need to htmlspecialchars() them in
horde/imp/templates/compose/{spelling,bounce}.inc.
=20
There is another variable ($search), that probably can be exploited in
spelling.inc. I didn't have time to test it properly. Maybe someone can
test it.

-------- horde/imp/message.php:

   Var $mailbox have the same problem. It outputs through $imp['label']
and $imp['mailbox'].

   Fix: htmlspecialchars() them in
horde/imp/templates/message/{navbar,navbar_aux_top}.inc

You can find a new patch that substitutes the old one at:

   http://hq.eth.pt/nuno/horde/patch2_CCSB-RELENG.gz

If anyone applied my previously patch and want a new one against the
first one, please email me and I'll make it.

Regards,

   Nuno Loureiro




>=20
> You can find the patches described in this email here:
>=20
>  http://hq.eth.pt/nuno/horde/patch_CCSB-RELENG.gz
>  http://hq.eth.pt/nuno/horde/patch_CCSB-STABLE.gz
>=20
> You can apply patch_CCSB-RELENG to HEAD. At least, it just worked for
> me.
>=20
> The patches were done using cvs diff -u.
>=20
> Any comments are more then welcome.
>=20
> Regards,
>=20
>   Nuno
>=20
> PS: Talking with Chuck on IRC, he told me that changing return in $sess->=
url() function should be avoided.=20
> Not changing it, there are more variables that can be exploited. There wa=
s a problem with the original patch for RELENG, so I did
> a new one, so there are more variables with the same problem for sure.
>=20
> More on this subject to come...
>=20
> --=20
> Nuno Loureiro <nuno@eth.pt>
> Ethernet, Solu=E7=F5es Inform=E1ticas, LDA
> http://www.eth.pt
>=20
>=20
> --=20
> Horde Developers mailing list: http://horde.org/
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: dev-unsubscribe@lists.horde.org
--=20
Nuno Loureiro <nuno@eth.pt>
Ethernet, Solu=E7=F5es Inform=E1ticas, LDA
http://www.eth.pt