From 76cf41e67232fbb90cc44a5830016cec4e7bc045 Mon Sep 17 00:00:00 2001
From: iliajie <gpg@ilia.engineer>
Date: Thu, 3 Aug 2023 17:19:45 +0300
Subject: [PATCH] Fix various XSS related issues

---
 forward/edit_afile.cgi |  4 ++--
 forward/edit_ffile.cgi |  4 ++--
 forward/edit_rfile.cgi |  4 ++--
 forward/edit_vfile.cgi |  6 +++---
 forward/index.cgi      | 21 ++++++++++-----------
 forward/save_afile.cgi |  2 +-
 forward/save_ffile.cgi |  2 +-
 forward/save_rfile.cgi |  2 +-
 forward/save_vfile.cgi |  2 +-
 9 files changed, 23 insertions(+), 24 deletions(-)
diff --git a/forward/edit_afile.cgi b/forward/edit_afile.cgi
index 00c7a0ee..4b695be4 100755
--- a/forward/edit_afile.cgi
+++ b/forward/edit_afile.cgi
@@ -11,7 +11,7 @@ open(FILE, $in{'file'});
 @lines = <FILE>;
 close(FILE);
 
-print "<b>",&text('afile_desc', "<tt>$in{'vfile'}</tt>"),"</b><p>\n";
+print "<b>",&text('afile_desc', "<tt>@{[&html_escape($in{'vfile'})]}</tt>"),"</b><p>\n";
 
 print "<form action=save_afile.cgi method=post enctype=multipart/form-data>\n";
 print &ui_hidden("file", $in{'file'}),"\n";
@@ -23,6 +23,6 @@ print "<input type=submit value=\"$text{'save'}\"> ",
       "<input type=reset value=\"$text{'afile_undo'}\">\n";
 print "</form>\n";
 
-&ui_print_footer("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}",
+&ui_print_footer("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}",
 		 $text{'aform_return'});
 
diff --git a/forward/edit_ffile.cgi b/forward/edit_ffile.cgi
index fed31b7b..eadbe967 100755
--- a/forward/edit_ffile.cgi
+++ b/forward/edit_ffile.cgi
@@ -19,7 +19,7 @@ while(<FILE>) {
 	}
 close(FILE);
 
-print "<b>",&text('ffile_desc', "<tt>$in{'vfile'}</tt>"),"</b><p>\n";
+print "<b>",&text('ffile_desc', "<tt>@{[&html_escape($in{'vfile'})]}</tt>"),"</b><p>\n";
 
 print "<form action=save_ffile.cgi method=post enctype=multipart/form-data>\n";
 print &ui_hidden("file", $in{'file'}),"\n";
@@ -56,6 +56,6 @@ print &text('ffile_other',
 print "<input type=submit value=\"$text{'save'}\">\n";
 print "</form>\n";
 
-&ui_print_footer("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}",
+&ui_print_footer("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}",
 		 $text{'aform_return'});
 
diff --git a/forward/edit_rfile.cgi b/forward/edit_rfile.cgi
index ca879192..ce320498 100755
--- a/forward/edit_rfile.cgi
+++ b/forward/edit_rfile.cgi
@@ -31,7 +31,7 @@ if (!-r $in{'vfile'}) {
 	$from = $froms->[0];
 	}
 
-print &text('rfile_desc', "<tt>$in{'vfile'}</tt>"),"<p>\n";
+print &text('rfile_desc', "<tt>@{[&html_escape($in{'vfile'})]}</tt>"),"<p>\n";
 print "$text{'rfile_desc2'}<p>\n";
 
 print "<form action=save_rfile.cgi method=post enctype=multipart/form-data>\n";
@@ -78,6 +78,6 @@ print "<input type=submit value=\"$text{'save'}\"> ",
       "<input type=reset value=\"$text{'rfile_undo'}\">\n";
 print "</form>\n";
 
-&ui_print_footer("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}",
+&ui_print_footer("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}",
 		 $text{'aform_return'});
 
diff --git a/forward/edit_vfile.cgi b/forward/edit_vfile.cgi
index 6df44ee0..c7c0cb9a 100755
--- a/forward/edit_vfile.cgi
+++ b/forward/edit_vfile.cgi
@@ -26,7 +26,7 @@ if (!-r $in{'vfile'}) {
 	$from = $froms->[0];
 	}
 
-print &text('vfile_desc', "<tt>$in{'vfile'}</tt>"),"<p>\n";
+print &text('vfile_desc', "<tt>@{[&html_escape($in{'vfile'})]}</tt>"),"<p>\n";
 
 print "<form action=save_vfile.cgi method=post enctype=multipart/form-data>\n";
 print &ui_hidden("file", $in{'file'}),"\n";
@@ -59,7 +59,7 @@ print "<input type=submit value=\"$text{'save'}\"> ",
 print "</form>\n";
 
 &ui_print_footer(defined($in{'idx'}) ?
-		 ( "edit_vacation.cgi?num=$in{'num'}&file=$in{'file'}&idx=$in{'idx'}", $text{'vacation_return'} ) : ( ),
-		 "edit_alias.cgi?num=$in{'num'}&file=$in{'file'}",
+		 ( "edit_vacation.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}&idx=$in{'idx'}", $text{'vacation_return'} ) : ( ),
+		 "edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}",
 		 $text{'aform_return'});
 
diff --git a/forward/index.cgi b/forward/index.cgi
index 1fe8e96e..c043d5f0 100755
--- a/forward/index.cgi
+++ b/forward/index.cgi
@@ -19,7 +19,7 @@ if ($simple) {
 			print "<span data-unckecked>" . $text{'index_simple'.$s},"</span>\n";
 			}
 		else {
-			print "<a href='index.cgi?simple=$s'>",$text{'index_simple'.$s},"</a>\n";
+			print &ui_link("index.cgi?simple=$s", $text{'index_simple'.$s});
 			}
 		print "&nbsp;|&nbsp;\n" if ($s != 0);
 		}
@@ -149,10 +149,9 @@ else {
 	}
 
 if (!$in{'simple'} || !$simple) {
-	@links = ( "<a href='edit_alias.cgi?new=1'>$text{'index_add'}</a>" );
+	@links = ( &ui_link('edit_alias.cgi?new=1', $text{'index_add'}) );
 	if ($config{'mail_system'} == 0 && $config{'edit'}) {
-		push(@links, "<a href='edit_forward.cgi'>".
-		      	     &text('index_edit', "<tt>.forward</tt>")."</a>");
+		push(@links, &ui_link('edit_forward.cgi', &text('index_edit', "<tt>.forward</tt>")));
 		}
 	print &ui_links_row(\@links);
 	}
@@ -165,13 +164,12 @@ print &ui_columns_start([ $text{'aliases_to'},
 			  $text{'aliases_enabled'} ], 100, 2);
 foreach my $a (@_) {
 	my @cols;
-	my $e = "<a href=\"edit_alias.cgi?num=$a->{'num'}\">";
+	my $e = "";
 	foreach $v (@{$a->{'values'}}) {
 		($anum, $astr) = &alias_type($v);
-		$e .= &text("aliases_type$anum", "<tt>$astr</tt>")."<br>\n";
+		$e .= &text("aliases_type$anum", "<tt>@{[&html_escape($astr)]}</tt>")."<br>\n";
 		}
-	$e .= "</a>";
-	push(@cols, $e);
+	push(@cols, &ui_link("edit_alias.cgi?num=$a->{'num'}", $e));
 	push(@cols, $a->{'enabled'} ? $text{'yes'} :
                 	"<font color=#ff0000>$text{'no'}</font>");
 	print &ui_columns_row(\@cols);
@@ -185,9 +183,10 @@ print "<table border width=100%>\n";
 print "<tr $tb> <td><b>$text{'aliases_from'}</b></td> <td><b>$text{'aliases_to'}</b></td> </tr>\n";
 foreach $a (@_) {
 	print "<tr $cb>\n";
-	print "<td><a href=\"edit_alias.cgi?file=$a->{'file'}\">",
-	      $a->{'name'} ? "$remote_user-$a->{'name'}" : $remote_user,
-	      "</td> <td>\n";
+	my $lnk = &ui_link("edit_alias.cgi?file=$a->{'file'}",
+				&html_escape($a->{'name'} ? "$remote_user-$a->{'name'}" : $remote_user));
+	print "<td>$lnk</td>\n";
+	print "<td>\n";
 	foreach $v (@{$a->{'values'}}) {
 		($anum, $astr) = &alias_type($v);
 		print &text("aliases_type$anum", "<tt>$astr</tt>"),"<br>\n";
diff --git a/forward/save_afile.cgi b/forward/save_afile.cgi
index 66441e7f..2ca8db51 100755
--- a/forward/save_afile.cgi
+++ b/forward/save_afile.cgi
@@ -11,5 +11,5 @@ $in{'text'} =~ s/\n*$/\n/;
 &print_tempfile(FILE, $in{'text'});
 &close_tempfile(FILE);
 
-&redirect("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}");
+&redirect("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}");
 
diff --git a/forward/save_ffile.cgi b/forward/save_ffile.cgi
index d0c836b7..53ec21d0 100755
--- a/forward/save_ffile.cgi
+++ b/forward/save_ffile.cgi
@@ -18,5 +18,5 @@ push(@filter, "2 ".$in{'other'}."\n") if ($in{'other'});
 &open_tempfile(FILE, ">$in{'vfile'}", 1) || &error(&text('ffile_ewrite', $!));
 &print_tempfile(FILE, @filter);
 &close_tempfile(FILE);
-&redirect("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}");
+&redirect("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}");
 
diff --git a/forward/save_rfile.cgi b/forward/save_rfile.cgi
index 9d2f921b..857f18cc 100755
--- a/forward/save_rfile.cgi
+++ b/forward/save_rfile.cgi
@@ -30,4 +30,4 @@ if (!$in{'from_def'}) {
 	}
 &print_tempfile(FILE, $in{'text'});
 &close_tempfile(FILE);
-&redirect("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}");
+&redirect("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}");
diff --git a/forward/save_vfile.cgi b/forward/save_vfile.cgi
index 0050ca60..8e1697b7 100755
--- a/forward/save_vfile.cgi
+++ b/forward/save_vfile.cgi
@@ -26,4 +26,4 @@ if ($hl && $in{'text'} !~ /^(\S+):\s+\S/) {
 	}
 &print_tempfile(FILE, $in{'text'});
 &close_tempfile(FILE);
-&redirect("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}");
+&redirect("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}");

$text{'aliases_from'}	$text{'aliases_to'}
{'file'}\">", - $a->{'name'} ? "$remote_user-$a->{'name'}" : $remote_user, - "	\n"; + my $lnk = &ui_link("edit_alias.cgi?file=$a->{'file'}", + &html_escape($a->{'name'} ? "$remote_user-$a->{'name'}" : $remote_user)); + print "	$lnk	\n"; foreach $v (@{$a->{'values'}}) { ($anum, $astr) = &alias_type($v); print &text("aliases_type$anum", "`$astr`")," \n"; diff --git a/forward/save_afile.cgi b/forward/save_afile.cgi index 66441e7f..2ca8db51 100755 --- a/forward/save_afile.cgi +++ b/forward/save_afile.cgi @@ -11,5 +11,5 @@ $in{'text'} =~ s/\n*$/\n/; &print_tempfile(FILE, $in{'text'}); &close_tempfile(FILE); -&redirect("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}"); +&redirect("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}"); diff --git a/forward/save_ffile.cgi b/forward/save_ffile.cgi index d0c836b7..53ec21d0 100755 --- a/forward/save_ffile.cgi +++ b/forward/save_ffile.cgi @@ -18,5 +18,5 @@ push(@filter, "2 ".$in{'other'}."\n") if ($in{'other'}); &open_tempfile(FILE, ">$in{'vfile'}", 1) \|\| &error(&text('ffile_ewrite', $!)); &print_tempfile(FILE, @filter); &close_tempfile(FILE); -&redirect("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}"); +&redirect("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}"); diff --git a/forward/save_rfile.cgi b/forward/save_rfile.cgi index 9d2f921b..857f18cc 100755 --- a/forward/save_rfile.cgi +++ b/forward/save_rfile.cgi @@ -30,4 +30,4 @@ if (!$in{'from_def'}) { } &print_tempfile(FILE, $in{'text'}); &close_tempfile(FILE); -&redirect("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}"); +&redirect("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}"); diff --git a/forward/save_vfile.cgi b/forward/save_vfile.cgi index 0050ca60..8e1697b7 100755 --- a/forward/save_vfile.cgi +++ b/forward/save_vfile.cgi @@ -26,4 +26,4 @@ if ($hl && $in{'text'} !~ /^(\S+):\s+\S/) { } &print_tempfile(FILE, $in{'text'}); &close_tempfile(FILE); -&redirect("edit_alias.cgi?num=$in{'num'}&file=$in{'file'}"); +&redirect("edit_alias.cgi?num=$in{'num'}&file=@{[&urlize($in{'file'})]}");