Fix for URL injection vulnerability (Bug #1307966)

release-0.6
thomascube 19 years ago
parent 30233b8dfb
commit 539cd47824

@ -267,7 +267,19 @@ if ($_task=='settings')
} }
// only allow these templates to be included
$valid_tasks = array('mail','settings','addressbook');
// parse main template // parse main template
parse_template($_task); if (in_array($_task, $valid_tasks))
parse_template($_task);
// if we arrive here, something went wrong
raise_error(array('code' => 404,
'type' => 'php',
'line' => __LINE__,
'file' => __FILE__,
'message' => "Invalid request"), TRUE, TRUE);
?> ?>

@ -52,7 +52,7 @@ else if ($ERROR_CODE==401)
else if ($ERROR_CODE==404) else if ($ERROR_CODE==404)
{ {
$__error_title = "REQUEST FAILED/FILE NOT FOUND"; $__error_title = "REQUEST FAILED/FILE NOT FOUND";
$request_url = $GLOBALS['HTTP_HOST'].$GLOBALS['REQUEST_URI']; $request_url = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$__error_text = <<<EOF $__error_text = <<<EOF
The requested page was not found!<br /> The requested page was not found!<br />
Please contact your server-administrator. Please contact your server-administrator.

Loading…
Cancel
Save