Fix to address XSS issues #1

webmin · Aug 9, 2023 · c81a4c4 · c81a4c4
1 parent eeae146
commit c81a4c4
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 5 deletions.
diff --git a/mailbox/list_folders.cgi b/mailbox/list_folders.cgi
@@ -28,18 +28,23 @@ print &ui_hidden_end("instr");
 print &ui_form_start("delete_folders.cgi", "post");
 my @tds = ( "width=5" );
 my @folders = &list_folders_sorted();
+foreach my $folder (@folders) {
+	$folder->{'file'} = &html_escape($folder->{'file'})
+		if ($folder->{'file'});
+	}
 print &ui_columns_start([ "",
 			  $text{'folders_name'},
 			  $text{'folders_path'},
 			  $text{'folders_type'},
 			  $text{'folders_size'},
 			  $text{'folders_action'} ], undef, 0, \@tds);
+			#   var_dump(\@folders);
 foreach my $f (@folders) {
 	my @cols;
 	my $deletable = 0;
 	if ($f->{'inbox'} || $f->{'drafts'} || $f->{'spam'}) {
 		# Inbox, drafs or spam folder which cannot be edited
-		push(@cols, $f->{'name'});
+		push(@cols, &html_escape($f->{'name'}));
 		}
 	elsif ($f->{'type'} == 2) {
 		# Link for editing POP3 folder

diff --git a/mailbox/list_ifolders.cgi b/mailbox/list_ifolders.cgi
@@ -12,6 +12,10 @@ require './mailbox-lib.pl';
 print &ui_form_start("delete_folders.cgi", "post");
 my @tds = ( "width=5" );
 my @folders = &list_folders_sorted();
+foreach my $folder (@folders) {
+	$folder->{'file'} = &html_escape($folder->{'file'})
+		if ($folder->{'file'});
+	}
 my @adders = ( "<a href='edit_ifolder.cgi?new=1'>$text{'folders_addimap'}</a>",
 	    "<a href='edit_comp.cgi?new=1'>$text{'folders_addcomp'}</a>",
 	    "<a href='edit_virt.cgi?new=1'>$text{'folders_addvirt'}</a>" );

diff --git a/mailbox/view_mail.cgi b/mailbox/view_mail.cgi
@@ -521,15 +521,15 @@ if (!@sub) {
 	if ($mail->{'sortidx'} != 0) {
 		my $mailprv = $beside[$prv];
 		$left = "view_mail.cgi?id=".&urlize($mailprv->{'id'}).
-			"&folder=$in{'folder'}&start=$in{'start'}";
+			"&folder=@{[&urlize($in{'folder'})]}&start=$in{'start'}";
 		}
 	if ($mail->{'sortidx'} < $c-1) {
 		my $mailnxt = $beside[$nxt];
 		$right = "view_mail.cgi?id=".&urlize($mailnxt->{'id'}).
-		      	 "&folder=$in{'folder'}&start=$in{'start'}";
+		      	 "&folder=@{[&urlize($in{'folder'})]}&start=$in{'start'}";
 		}
 	print &ui_page_flipper(&text('view_desc', $mail->{'sortidx'}+1,
-				     $folder->{'name'}),
+				     &html_escape($folder->{'name'})),
 			       undef, undef, $left, $right);
 	}
 else {

diff --git a/mailbox/webmin_menu.pl b/mailbox/webmin_menu.pl
@@ -51,7 +51,7 @@ sub list_webmin_menu
 		my $item = { 'type' => 'item',
 			     'id' => 'folder_'.$fid,
 			     'folder' => 1,
-			     'desc' => $f->{'name'},
+			     'desc' => &html_escape($f->{'name'}),
 			     'link' => '/'.$module_name.
 				       '/index.cgi?id='.&urlize($fid) };
 		if ($f->{'type'} == 6 &&