From 129a65b8c590a14fc5d995be93872e8269ae4fac Mon Sep 17 00:00:00 2001
From: Christian Boltz <postfixadmin@cboltz.de>
Date: Fri, 2 Oct 2015 17:45:16 +0000
Subject: [PATCH] functions.inc.php: - gen_show_status(): escape mail addresses
 in query.   Fixes https://sourceforge.net/p/postfixadmin/bugs/356/   (mostly
 - the edit/delete/... links in list-virtual are double-escaped)   In theory
 this could allow SQL injection, in practise the mail address   regex limits
 this issue to a DOS (creating a mail address with ' caused   an invalid query
 that broke list-virtual)

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1809 a1433add-5e2c-0410-b055-b7f2511e0802
---
 functions.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/functions.inc.php b/functions.inc.php
index c3e34eb1..f3631526 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -1755,9 +1755,9 @@ function gen_show_status ($show_alias) {
             list(/*NULL*/,$stat_domain) = explode('@',$g);
             $stat_delimiter = "";
 			if (!empty($CONF['recipient_delimiter'])) {
-				$stat_delimiter = "OR address = '" . preg_replace($delimiter_regex, "@", $g) . "'";
+				$stat_delimiter = "OR address = '" . escape_string(preg_replace($delimiter_regex, "@", $g)) . "'";
 			}
-			$stat_result = db_query ("SELECT address FROM $table_alias WHERE address = '$g' OR address = '@$stat_domain' $stat_delimiter");
+			$stat_result = db_query ("SELECT address FROM $table_alias WHERE address = '" . escape_string($g) . "' OR address = '@" . escape_string($stat_domain) . "' $stat_delimiter");
             if ($stat_result['rows'] == 0) {
                 $stat_ok = 0;
             }