From 129a65b8c590a14fc5d995be93872e8269ae4fac Mon Sep 17 00:00:00 2001
From: Christian Boltz <postfixadmin@cboltz.de>
Date: Fri, 2 Oct 2015 17:45:16 +0000
Subject: [PATCH 1/3] functions.inc.php: - gen_show_status(): escape mail
 addresses in query.   Fixes https://sourceforge.net/p/postfixadmin/bugs/356/ 
  (mostly - the edit/delete/... links in list-virtual are double-escaped)   In
 theory this could allow SQL injection, in practise the mail address   regex
 limits this issue to a DOS (creating a mail address with ' caused   an
 invalid query that broke list-virtual)

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1809 a1433add-5e2c-0410-b055-b7f2511e0802
---
 functions.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/functions.inc.php b/functions.inc.php
index c3e34eb1..f3631526 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -1755,9 +1755,9 @@ function gen_show_status ($show_alias) {
             list(/*NULL*/,$stat_domain) = explode('@',$g);
             $stat_delimiter = "";
 			if (!empty($CONF['recipient_delimiter'])) {
-				$stat_delimiter = "OR address = '" . preg_replace($delimiter_regex, "@", $g) . "'";
+				$stat_delimiter = "OR address = '" . escape_string(preg_replace($delimiter_regex, "@", $g)) . "'";
 			}
-			$stat_result = db_query ("SELECT address FROM $table_alias WHERE address = '$g' OR address = '@$stat_domain' $stat_delimiter");
+			$stat_result = db_query ("SELECT address FROM $table_alias WHERE address = '" . escape_string($g) . "' OR address = '@" . escape_string($stat_domain) . "' $stat_delimiter");
             if ($stat_result['rows'] == 0) {
                 $stat_ok = 0;
             }

From 680e96b590ddadfc4f239a5c1bc08bf97f67c869 Mon Sep 17 00:00:00 2001
From: Christian Boltz <postfixadmin@cboltz.de>
Date: Fri, 2 Oct 2015 18:52:17 +0000
Subject: [PATCH 2/3] list-virtual_alias_domain: - also assign RAW_items (from
 $RAW_tAliasDomains)

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1811 a1433add-5e2c-0410-b055-b7f2511e0802
---
 templates/list-virtual_alias_domain.tpl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/list-virtual_alias_domain.tpl b/templates/list-virtual_alias_domain.tpl
index ae2a6ccc..83c5dd1b 100644
--- a/templates/list-virtual_alias_domain.tpl
+++ b/templates/list-virtual_alias_domain.tpl
@@ -6,4 +6,6 @@
 {assign var="id_field" value=$msg.id_field}
 {assign var="formconf" value=$aliasdomain_data.formconf}
 {assign var="items" value=$tAliasDomains}
+{assign var="RAW_items" value=$RAW_tAliasDomains}
+
 {include 'list.tpl'}

From 085e7e4bfbb4c174950d13a86e1b9c5ca1992b18 Mon Sep 17 00:00:00 2001
From: Christian Boltz <postfixadmin@cboltz.de>
Date: Sat, 3 Oct 2015 08:58:21 +0000
Subject: [PATCH 3/3] list.tpl: - base edit, editactive and delete links on
 $RAW_item to avoid double   escaping ($items is already html-escaped, and we
 url-escape it for   links). This fixes the remaining part of  
 http://sourceforge.net/p/postfixadmin/bugs/356/ - simplify displaying "html"
 fields by using $RAW_item. This also fixes   problems with funny[tm] item
 names that differ when html-encoded (like   the ' char)

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1812 a1433add-5e2c-0410-b055-b7f2511e0802
---
 templates/list.tpl | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/templates/list.tpl b/templates/list.tpl
index 2242321c..f5f50f22 100644
--- a/templates/list.tpl
+++ b/templates/list.tpl
@@ -51,7 +51,8 @@
     <td>&nbsp;</td>
 </tr>
 
-{foreach from=$items item=item}
+{foreach from=$RAW_items item=RAW_item}
+    {assign "item" $items.{$RAW_item.$id_field|escape:"html"}} {* array keys in $items are html-escaped *}
     {#tr_hilightoff#}
 
     {foreach key=key item=field from=$struct}
@@ -77,7 +78,7 @@
 *}
                     {elseif $key == 'active'}
                         {if $item._can_edit}
-                            <a href="{#url_editactive#}{$table}&amp;id={$item.$id_field|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}">{$item._active}</a>
+                            <a href="{#url_editactive#}{$table}&amp;id={$RAW_item.$id_field|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}">{$item._active}</a>
                         {else}
                             {$item._active}
                         {/if}
@@ -109,7 +110,7 @@
                     {elseif $field.type == 'txtl'}
                         {foreach key=key2 item=field2 from=$item.$key}{$field2}<br> {/foreach}
                     {elseif $field.type == 'html'}
-						{$RAW_items.{$item.{$msg.id_field}}.$key}
+                        {$RAW_item.$key}
                     {else}
                         {$linktext}
                     {/if}
@@ -118,8 +119,8 @@
         {/if}
     {/foreach}
 
-    <td>{if $item._can_edit}<a href="edit.php?table={$table|escape:"url"}&amp;edit={$item.$id_field|escape:"url"}">{$PALANG.edit}</a>{else}&nbsp;{/if}</td>
-    <td>{if $item._can_delete}<a href="{#url_delete#}?table={$table}&amp;delete={$item.$id_field|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}" 
+    <td>{if $item._can_edit}<a href="edit.php?table={$table|escape:"url"}&amp;edit={$RAW_item.$id_field|escape:"url"}">{$PALANG.edit}</a>{else}&nbsp;{/if}</td>
+    <td>{if $item._can_delete}<a href="{#url_delete#}?table={$table}&amp;delete={$RAW_item.$id_field|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
         onclick="return confirm ('{$PALANG.{$msg.confirm_delete}|replace:'%s':$item.$id_field}')">{$PALANG.del}</a>{else}&nbsp;{/if}</td>
     </tr>
 {/foreach}