From 9fb0f040c9f67fed16a2c9aef836af8f39aa4136 Mon Sep 17 00:00:00 2001
From: David Goodwin <david@palepurple.co.uk>
Date: Tue, 10 Jan 2012 16:08:48 +0000
Subject: [PATCH] fix xss from poor sanitisation/checking of $_GET[domain],
 thanks to Flippo Cavallarin for reporting this

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/branches/postfixadmin-2.3@1321 a1433add-5e2c-0410-b055-b7f2511e0802
---
 templates/menu.php | 54 +++++++++++++++++++++++-----------------------
 1 file changed, 27 insertions(+), 27 deletions(-)

diff --git a/templates/menu.php b/templates/menu.php
index 0788a409..da68e8ef 100644
--- a/templates/menu.php
+++ b/templates/menu.php
@@ -1,8 +1,8 @@
 <?php if( !defined('POSTFIXADMIN') ) die( "This file cannot be used standalone." ); ?>
 <?php
 function _menulink ($href, $title, $submenu = "") {
-   if ($submenu != "") $submenu = "<ul><li><a target='_top' href='$href'>$title</a>$submenu</li></ul>";
-   return "<li><a target='_top' href='$href'>$title</a>$submenu</li>";
+    if ($submenu != "") $submenu = "<ul><li><a target='_top' href='$href'>$title</a>$submenu</li></ul>";
+    return "<li><a target='_top' href='$href'>$title</a>$submenu</li>";
 } 
 
 authentication_has_role('global-admin');
@@ -10,15 +10,15 @@ authentication_has_role('global-admin');
 echo "<div id='menu'>\n";
 echo "<ul>\n";
 
-$url = "create-mailbox.php"; if (isset ($_GET['domain'])) $url .= "?domain=" . $_GET['domain'];
+$url = "create-mailbox.php"; if (isset ($_GET['domain'])) $url .= "?domain=" . urlencode($_GET['domain']);
 $submenu_virtual = _menulink($url, $PALANG['pMenu_create_mailbox']);
 
-$url = "create-alias.php"; if (isset ($_GET['domain'])) $url .= "?domain=" . $_GET['domain'];
+$url = "create-alias.php"; if (isset ($_GET['domain'])) $url .= "?domain=" . urlencode($_GET['domain']);
 $submenu_virtual .=  _menulink($url, $PALANG['pMenu_create_alias']);
 
 if (boolconf('alias_domain')) {
-   $url = "create-alias-domain.php"; if (isset ($_GET['domain'])) $url .= "?target_domain=" . $_GET['domain'];
-   $submenu_virtual .=  _menulink($url, $PALANG['pMenu_create_alias_domain']);
+    $url = "create-alias-domain.php"; if (isset ($_GET['domain'])) $url .= "?target_domain=" . urlencode($_GET['domain']);
+    $submenu_virtual .=  _menulink($url, $PALANG['pMenu_create_alias_domain']);
 }
 
 $submenu_admin = _menulink("create-admin.php", $PALANG['pAdminMenu_create_admin']);
@@ -27,17 +27,17 @@ $submenu_fetchmail = _menulink("fetchmail.php?new=1", $PALANG['pFetchmail_new_en
 
 
 if (authentication_has_role('global-admin')) {
-   $submenu_domain = _menulink("create-domain.php", $PALANG['pAdminMenu_create_domain']);
-   $submenu_sendmail = _menulink("broadcast-message.php", $PALANG['pAdminMenu_broadcast_message']);
+    $submenu_domain = _menulink("create-domain.php", $PALANG['pAdminMenu_create_domain']);
+    $submenu_sendmail = _menulink("broadcast-message.php", $PALANG['pAdminMenu_broadcast_message']);
 } else {
-   $submenu_domain = "";
-   $submenu_sendmail = "";
+    $submenu_domain = "";
+    $submenu_sendmail = "";
 }
 
 if (authentication_has_role('global-admin')) {
-   print _menulink("list-admin.php", $PALANG['pAdminMenu_list_admin'], $submenu_admin);
+    print _menulink("list-admin.php", $PALANG['pAdminMenu_list_admin'], $submenu_admin);
 } else {
-   print _menulink("main.php", $PALANG['pMenu_main']);
+    print _menulink("main.php", $PALANG['pMenu_main']);
 }
 
 print _menulink("list-domain.php", $PALANG['pAdminMenu_list_domain'], $submenu_domain);
@@ -49,11 +49,11 @@ if(isset($_SESSION['list_virtual_sticky_domain'])) {
 print _menulink($link, $PALANG['pAdminMenu_list_virtual'], $submenu_virtual);
 
 if ($CONF['fetchmail'] == 'YES') {
-   print _menulink("fetchmail.php", $PALANG['pMenu_fetchmail'], $submenu_fetchmail);
+    print _menulink("fetchmail.php", $PALANG['pMenu_fetchmail'], $submenu_fetchmail);
 }
 
 if ($CONF['sendmail'] == 'YES') {
-   print _menulink("sendmail.php", $PALANG['pMenu_sendmail'], $submenu_sendmail);
+    print _menulink("sendmail.php", $PALANG['pMenu_sendmail'], $submenu_sendmail);
 } 
 
 # not really useful in the admin menu
@@ -64,7 +64,7 @@ if ($CONF['sendmail'] == 'YES') {
 print _menulink("password.php", $PALANG['pMenu_password']);
 
 if (authentication_has_role('global-admin') && 'pgsql'!=$CONF['database_type'] && $CONF['backup'] == 'YES') {
-   print _menulink("backup.php", $PALANG['pAdminMenu_backup']);
+    print _menulink("backup.php", $PALANG['pAdminMenu_backup']);
 }
 
 print _menulink("viewlog.php", $PALANG['pMenu_viewlog']);
@@ -77,16 +77,16 @@ echo "</div>\n";
 print "<br clear='all' /><br>"; # TODO
 
 if (authentication_has_role('global-admin')) {
-   $motd_file = "motd-admin.txt";
+    $motd_file = "motd-admin.txt";
 } else {
-   $motd_file = "motd.txt";
+    $motd_file = "motd.txt";
 }
 
 if (file_exists (realpath ($motd_file)))
 {
-   print "<div id=\"motd\">\n";
-   include ($motd_file);
-   print "</div>";
+    print "<div id=\"motd\">\n";
+    include ($motd_file);
+    print "</div>";
 }
 
 
@@ -95,15 +95,15 @@ if (file_exists (realpath ($motd_file)))
 ?>
 <script type='text/javascript'>
 sfHover = function() {
-   var sfEls = document.getElementById("menu").getElementsByTagName("LI");
-      for (var i=0; i<sfEls.length; i++) {
-         sfEls[i].onmouseover=function() {
+    var sfEls = document.getElementById("menu").getElementsByTagName("LI");
+    for (var i=0; i<sfEls.length; i++) {
+        sfEls[i].onmouseover=function() {
             this.className+=" sfhover";
-         }
-         sfEls[i].onmouseout=function() {
+        }
+        sfEls[i].onmouseout=function() {
             this.className=this.className.replace(new RegExp(" sfhover\\b"), "");
-         }
-   }
+        }
+    }
 }
 if (window.attachEvent) window.attachEvent("onload", sfHover);
 </script>