functions.inc.php:

- fix SQL injection in show_gen_status() (backport of trunk r1639) - update version number to 2.3.7 (+ CHANGELOG.TXT update) git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/branches/postfixadmin-2.3@1650 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago · 584583c9d8
parent 95f73e2a10
commit 584583c9d8
2 changed files with 5 additions and 2 deletions
--- a/CHANGELOG.TXT
+++ b/CHANGELOG.TXT
@ -10,8 +10,9 @@
 # Last update:
 # $Id$

-Changes since 2.3.6 release
+Version 2.3.7 - 2014/02/__ - SVN r16__ (postfixadmin-2.3 branch)
 ----------------------------------------------------------------
+  - SECURITY: fix SQL injection in show_gen_status()
  - lt.lang, da.lang translation update
  - when enabling/disabling a mailbox, also update the corresponding alias
  - fix creating superadmin in setup.php with MariaDB (more strict SQL)
--- a/functions.inc.php
+++ b/functions.inc.php
@ -16,7 +16,7 @@
 * Contains re-usable code.
 */

-$version = '2.3.6';
+$version = '2.3.7';

 /**
 * check_session
@ -2175,6 +2175,8 @@ function gen_show_status ($show_alias)
    global $CONF, $table_alias;
    $stat_string = "";

+    $show_alias = escape_string($show_alias);
+
    $stat_goto = "";
    $stat_result = db_query ("SELECT goto FROM $table_alias WHERE address='$show_alias'");
    if ($stat_result['rows'] > 0)