From 3b38d12315a5b67e6ddfe9c9b27ceae321ea3325 Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Tue, 2 Oct 2007 11:58:11 +0000 Subject: [PATCH] ensure domain name is in a list of valid domain names; set for use within the template so the right one is selected if ?domain=XXX was in the url git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@110 a1433add-5e2c-0410-b055-b7f2511e0802 --- create-mailbox.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/create-mailbox.php b/create-mailbox.php index 51a4d465..7b63e3c7 100644 --- a/create-mailbox.php +++ b/create-mailbox.php @@ -46,7 +46,7 @@ if(authentication_has_role('global-admin')) { $list_domains = list_domains (); } else { - $list_domains = list_domains_for_admin ($SESSID_USERNAME); + $list_domains = list_domains_for_admin($SESSID_USERNAME); } @@ -56,14 +56,18 @@ $pCreate_mailbox_quota_text = $PALANG['pCreate_mailbox_quota_text']; if ($_SERVER['REQUEST_METHOD'] == "GET") { + $fDomain = $list_domains[0]; if (isset ($_GET['domain'])) $fDomain = escape_string ($_GET['domain']); + if(!in_array($fDomain, $list_domains)) { + die("Invalid domain name selected, or you tried to select a domain you are not an admin for"); + } + $tDomain = $fDomain; $result = db_query ("SELECT * FROM $table_domain WHERE domain='$fDomain'"); if ($result['rows'] == 1) { $row = db_array ($result['result']); $tQuota = $row['maxquota']; - } }