From patchwork Wed Oct 30 10:58:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2560 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 47357g42Mpz420M for ; Wed, 30 Oct 2019 10:59:43 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 47357f322mz2Ps; Wed, 30 Oct 2019 10:59:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1572433182; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=jkGJd11XqYnNPfL2SrWQZCmPf/GIhx12j1V/6KPoHbE=; b=iyNp3LlQkqq4LohbsKNgBtdONDOXI+DuvI0MaotFsli/MKq1Eje9T5OIQcioNwFg1fS3Qr XMNUxTN15qcu1iDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1572433182; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=jkGJd11XqYnNPfL2SrWQZCmPf/GIhx12j1V/6KPoHbE=; b=NNMpD3M1qeRcbyXNOb8UFl+8dRRni8DBg1c+XaMCqojEYH0ILPPJk8M8jNVmecIXdURtaw xKUGqtoo131KOhp5FVb0Syx96S1jeL4ZMavCSd+SyF/GJ+teGIUs8Ko3GRbvBpND/khIQ7 C5OIFQx2EkcIMNsCQm2pb4OjTIrXZJVJMEmk42VgaJSgWph4pMbtdN6BF8bjs+DjUM2Sq2 TL7CYdk8AKTuXTxJJfrb81VgWApipLZJdvv2F0ae6otB92lhL6IKgbGDFPuyn2RroKek4m BOa4ZOzcjFv1EHUcE+vI8IG6ulIuBkFHLIFbEMrts2g7/1O1oIucf20VYqO9EQ== Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 47357f1ktGz2ySv; Wed, 30 Oct 2019 10:59:42 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47357c3CC2z2y48 for ; Wed, 30 Oct 2019 10:59:40 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 47357b6xDCz2Ps; Wed, 30 Oct 2019 10:59:29 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1572433180; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=jkGJd11XqYnNPfL2SrWQZCmPf/GIhx12j1V/6KPoHbE=; b=Lj4tGFeNCUrMpbmboIa4SHVkUT5tVobam5M83fmZxTC6V6SH7srrhkvtomrCUZfBAZclmp TdxmfeA9dWlgBLAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1572433180; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=jkGJd11XqYnNPfL2SrWQZCmPf/GIhx12j1V/6KPoHbE=; b=aPSxcRskrwMiny42Bk8vRy6AtT4lZqyn+EFEgGN5IQ2JMRDZ2e6Y6C748KyLUnLpuvKpSg QwwmloMUv04bSxxR2yD/TKjUEer03e2+3tdBk1Chs1+YIcNZNAuSUeFETkYVi0TYQSdz9S N6ZDKmKPbGvIIijBEx8n2F/5iee/RCxV5FLvJvAYG5R/6gQ73JdnwvAHY4z+rWPCxP5Pmx UWpenlTYcD4wFeWRNrJWjAoNHfpdVZfMSWQNGAgld3L1yTgBxjgdxvOq27s7XrW5L41iZC zIuWJUyLUncTtxoEXeKbL5NAoiZ0aIDxBBkvUEu2Yz9BZ4Er8AkXmIzdLRm8rw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/2] mail.cgi: Always check content of fields Date: Wed, 30 Oct 2019 10:58:59 +0000 Message-Id: <20191030105900.15306-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" These checks did not do anything but clear all fields when mailing was disabled. It makes a lot more sense to retain people's settings, even when they have been disabled. Signed-off-by: Michael Tremer --- html/cgi-bin/mail.cgi | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi index 9cf14cac8..07986a4d6 100755 --- a/html/cgi-bin/mail.cgi +++ b/html/cgi-bin/mail.cgi @@ -81,19 +81,10 @@ if ( -f $mailfile){ #ACTIONS if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}"){ #SaveButton on configsite - #Check fields - if ($cgiparams{'USEMAIL'} eq 'on'){ - $errormessage=&checkmailsettings; - }else{ - $cgiparams{'txt_mailserver'}=''; - $cgiparams{'txt_mailport'}=''; - $cgiparams{'txt_mailuser'}=''; - $cgiparams{'txt_mailpass'}=''; - $cgiparams{'mail_tls'}=''; - $cgiparams{'txt_mailsender'}=''; - $cgiparams{'txt_recipient'}=''; - } - if(!$errormessage){ + # Check fields + $errormessage = &checkmailsettings(); + + if (!$errormessage) { #clear hashes %auth=(); %dma=(); From patchwork Wed Oct 30 10:59:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2561 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 47357l74V3z420M for ; Wed, 30 Oct 2019 10:59:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 47357l4PXZz4V7; Wed, 30 Oct 2019 10:59:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1572433187; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=8hF3YLGTkQT1YcmNYYBTyU1euW22JtjwK43KHdSdM2c=; b=KygK9XJYq/usB5GPpuJE2+1P2BUMpezKEsUKNvhdxTvkvFCn+qPOiHesO9n23/HqxE/j1D C56Lq5xBBeNrDXDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1572433187; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=8hF3YLGTkQT1YcmNYYBTyU1euW22JtjwK43KHdSdM2c=; b=nX/lx4BTBLIfh8Y3cxFJLLMF3Q1TPqxXUEFKwnxEduV/Zk22wMJA8zQSAGmn0UART1WMbs gOBOtlWDDkwNNbhx0xy8XSZpUHbhBxWCuKQfIN2YAGjCpod3o3urs205D3u3qNJFE2NxxN 3yBol5afEWux2xoLQmRp8ABbzvFgwI9doOoU6Fj8658c26ZzCas4Y/mFleF8cgurfBZ685 SNIq/kZPchH37DqX1KuRQbnr0dOCFoo5mv+jJnt/wkbXddIRLejem+EiLBpAe4dUGuLqqr Tbnm+FA6QU8dd9TYrX6qTtuEuFlwkWSWmimnjVYTUUAI/A7nZo+oeDnzpMufig== Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 47357l3G5lz2yNR; Wed, 30 Oct 2019 10:59:47 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47357j3FLqz2yNR for ; Wed, 30 Oct 2019 10:59:45 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 47357j1jmqz3L7; Wed, 30 Oct 2019 10:59:40 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1572433185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8hF3YLGTkQT1YcmNYYBTyU1euW22JtjwK43KHdSdM2c=; b=dExkSl8vi4uU8QgdXOCsa3XTFQuqFROWpjhztlBpNeUVVoxw6EiYOwT4Fr++0YHO1mL/EX e+zZ4SdUYndzQsCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1572433185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8hF3YLGTkQT1YcmNYYBTyU1euW22JtjwK43KHdSdM2c=; b=Z+0Z09iigBt4ogMd6mlu5K1mBKaJx0adrdCdI6HEdCNl5Ppj5FIhmtzFuzthECxDncFR/V +yXQJfJKZK2idE90ApZcFji9kPJTTCudOtboKVSiiYzS/UIurvpkcx/lZDgzY7HinqteWN f1u4RhNVAQdjRG8bdMmuOiqdnaCyqTwplfek4HzcIBnF7tdPQXy+1QsJMZuPJxLgnsfiRI xqAptuDSUL04p1bM+v+Ca+k3jSgJZBkeAzaIapJrZW7ycN8Oqts2fbx5pGnv6eVjMx7MDX y2I4q3Vgg826U4axPAtgrUhvavbrMwvhd4DSuc0O/5jXC8qt+qgIE/m9EwQVPQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/2] mail.cgi: Do not print content of input fields Date: Wed, 30 Oct 2019 10:59:00 +0000 Message-Id: <20191030105900.15306-2-michael.tremer@ipfire.org> In-Reply-To: <20191030105900.15306-1-michael.tremer@ipfire.org> References: <20191030105900.15306-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer , Pisher Honda Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This was printed unescaped and could therefore be used for a stored XSS attack. Fixes: #12226 Reported-by: Pisher Honda Signed-off-by: Michael Tremer --- html/cgi-bin/mail.cgi | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi index 07986a4d6..25589046e 100755 --- a/html/cgi-bin/mail.cgi +++ b/html/cgi-bin/mail.cgi @@ -260,21 +260,21 @@ sub checkmailsettings { #Check if mailserver is an ip address or a domain if ($cgiparams{'txt_mailserver'} =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/){ if (! &General::validip($cgiparams{'txt_mailserver'})){ - $errormessage.="$Lang::tr{'email invalid mailip'} $cgiparams{'txt_mailserver'}
"; + $errormessage .= $Lang::tr{'email invalid mailip'} . "
"; } }elsif(! &General::validfqdn($cgiparams{'txt_mailserver'})){ - $errormessage.="$Lang::tr{'email invalid mailfqdn'} $cgiparams{'txt_mailserver'}
"; + $errormessage .= $Lang::tr{'email invalid mailfqdn'} . "
"; } #Check valid mailserverport if($cgiparams{'txt_mailport'} < 1 || $cgiparams{'txt_mailport'} > 65535){ - $errormessage.="$Lang::tr{'email invalid mailport'} $cgiparams{'txt_mailport'}
"; + $errormessage .= $Lang::tr{'email invalid mailport'} . "
"; } #Check valid sender if(! $cgiparams{'txt_mailsender'}){ - $errormessage.="$Lang::tr{'email empty field'} $Lang::tr{'email mailsender'}
"; + $errormessage .= $Lang::tr{'email empty field'} . "
"; }else{ if (! &General::validemail($cgiparams{'txt_mailsender'})){ - $errormessage.="
$Lang::tr{'email invalid'} $Lang::tr{'email mailsender'}
"; + $errormessage .= "$Lang::tr{'email invalid'} $Lang::tr{'email mailsender'}
"; } } return $errormessage;