projects / horde.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ad97ad4)
Bug #7926: Fix [un]escaping of URLs
authorMichael M Slusarz <slusarz@curecanti.org>
Tue, 10 Feb 2009 18:55:17 +0000 (11:55 -0700)
committerMichael M Slusarz <slusarz@curecanti.org>
Tue, 10 Feb 2009 18:57:10 +0000 (11:57 -0700)
imp/docs/CHANGES patch | blob | history
imp/pgp.php patch | blob | history
imp/smime.php patch | blob | history

diff --git a/imp/docs/CHANGES b/imp/docs/CHANGES
index 0bf7a6c..65a9375 100644 (file)
--- a/imp/docs/CHANGES
+++ b/imp/docs/CHANGES
@@ -51,6 +51,8 @@ v5.0-git
 v4.3.4-cvs
 ----------
 
+[mms] Fix [un]escaping of various URLs on message screen caused by security
+      fixes in v4.3.3 (Bug #7926).
 [mms] Add hook to allow hiding of IMAP folders (Request #7353, Gunnar
       Wrobel <p@rdus.de>).
 [jan] Fix rendering of subjects in RTL scripts when using LTR translations
diff --git a/imp/pgp.php b/imp/pgp.php
index 3076ea5..2bec464 100644 (file)
--- a/imp/pgp.php
+++ b/imp/pgp.php
@@ -25,7 +25,7 @@ function _importKeyDialog($target)
     $t->setOption('gettext', true);
     $t->set('selfurl', Horde::applicationUrl('pgp.php'));
     $t->set('broken_mp_form', $GLOBALS['browser']->hasQuirk('broken_multipart_form'));
-    $t->set('reload', htmlspecialchars(html_entity_decode(Util::getFormData('reload'))));
+    $t->set('reload', htmlspecialchars(Util::getFormData('reload')));
     $t->set('target', $target);
     $t->set('forminput', Util::formInput());
     $t->set('import_public_key', $target == 'process_import_public_key');
@@ -56,6 +56,14 @@ function _textWindowOutput($filename, $msg)
     echo $msg;
 }
 
+function _reloadWindow()
+{
+    $cacheSess = &Horde_SessionObjects::singleton();
+    $reload = Util::getFormData('reload');
+    $cacheSess->setPruneFlag($reload, true);
+    Util::closeWindowJS('opener.focus();opener.location.href="' . $cacheSess->query($reload) . '";');
+}
+
 require_once dirname(__FILE__) . '/lib/base.php';
 
 $imp_pgp = &Horde_Crypt::singleton(array('imp', 'pgp'));
@@ -116,7 +124,7 @@ case 'process_import_public_key':
             foreach ($key_info['signature'] as $sig) {
                 $notification->push(sprintf(_("PGP Public Key for \"%s (%s)\" was successfully added."), $sig['name'], $sig['email']), 'horde.success');
             }
-            Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(html_entity_decode(Util::getFormData('reload'))) . '";');
+            _reloadWindow();
         }
     }
     exit;
@@ -166,7 +174,7 @@ case 'process_import_personal_private_key':
              * successfully - close the import popup window. */
             $imp_pgp->addPersonalPrivateKey($privateKey);
             $notification->push(_("PGP private key successfully added."), 'horde.success');
-            Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(html_entity_decode(Util::getFormData('reload'))) . '";');
+            _reloadWindow();
         } else {
             /* Invalid private key imported - Redo private key import
              * screen. */
@@ -331,7 +339,8 @@ if ($prefs->getValue('use_pgp')) {
     if (!$t->get('no_file_upload')) {
         $t->set('no_source', !$GLOBALS['prefs']->getValue('add_source'));
         if (!$t->get('no_source')) {
-            $t->set('public_import_url', Util::addParameter(Util::addParameter($selfURL, 'actionID', 'import_public_key'), 'reload', $selfURL));
+            $cacheSess = &Horde_SessionObjects::singleton();
+            $t->set('public_import_url', Util::addParameter(Util::addParameter($selfURL, 'actionID', 'import_public_key'), 'reload', $cacheSess->storeOid($selfURL, false)));
             $t->set('import_pubkey-help', Help::link('imp', 'pgp-import-pubkey'));
         }
     }
diff --git a/imp/smime.php b/imp/smime.php
index 07ca108..8494089 100644 (file)
--- a/imp/smime.php
+++ b/imp/smime.php
@@ -20,7 +20,7 @@ function _importKeyDialog($target)
     $t->setOption('gettext', true);
     $t->set('selfurl', Horde::applicationUrl('smime.php'));
     $t->set('broken_mp_form', $GLOBALS['browser']->hasQuirk('broken_multipart_form'));
-    $t->set('reload', htmlspecialchars(html_entity_decode(Util::getFormData('reload'))));
+    $t->set('reload', htmlspecialchars(Util::getFormData('reload')));
     $t->set('target', $target);
     $t->set('forminput', Util::formInput());
     $t->set('import_public_key', $target == 'process_import_public_key');
@@ -54,7 +54,10 @@ function _actionWindow()
 
 function _reloadWindow()
 {
-    Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(html_entity_decode(Util::getFormData('reload'))) . '";');
+    $cacheSess = &Horde_SessionObjects::singleton();
+    $reload = Util::getFormData('reload');
+    $cacheSess->setPruneFlag($reload, true);
+    Util::closeWindowJS('opener.focus();opener.location.href="' . $cacheSess->query($reload) . '";');
 }
 
 function _textWindowOutput($filename, $msg, $html = false)
@@ -265,7 +268,8 @@ if (!is_a($openssl_check, 'PEAR_Error') && $prefs->getValue('use_smime')) {
     if (!$t->get('no_file_upload')) {
         $t->set('no_source', !$GLOBALS['prefs']->getValue('add_source'));
         if (!$t->get('no_source')) {
-            $t->set('public_import_url', Util::addParameter(Util::addParameter($selfURL, 'actionID', 'import_public_key'), 'reload', $selfURL));
+            $cacheSess = &Horde_SessionObjects::singleton();
+            $t->set('public_import_url', Util::addParameter(Util::addParameter($selfURL, 'actionID', 'import_public_key'), 'reload', $cacheSess->storeOid($selfURL, false)));
             $t->set('import_pubkey-help', Help::link('imp', 'smime-import-pubkey'));
         }
     }
Unnamed repository; edit this file to name it for gitweb.