mail.cgi: Do not print content of input fields

This was printed unescaped and could therefore be used for a stored XSS attack. Fixes: #12226 Reported-by: Pisher Honda <pisher24@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2026-04-16 22:13:01 +02:00 · 2019-10-30 10:59:00 +00:00
parent 0a340fbe1e
commit 095bf49407
1 changed files with 5 additions and 5 deletions
--- a/html/cgi-bin/mail.cgi
+++ b/html/cgi-bin/mail.cgi
@@ -260,21 +260,21 @@ sub checkmailsettings {
 	#Check if mailserver is an ip address or a domain
 	if ($cgiparams{'txt_mailserver'} =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/){
 		if (! &General::validip($cgiparams{'txt_mailserver'})){
-			$errormessage.="$Lang::tr{'email invalid mailip'} $cgiparams{'txt_mailserver'}<br>";
+			$errormessage .= $Lang::tr{'email invalid mailip'} . "<br>";
 		}
 	}elsif(! &General::validfqdn($cgiparams{'txt_mailserver'})){
-			$errormessage.="$Lang::tr{'email invalid mailfqdn'} $cgiparams{'txt_mailserver'}<br>";
+			$errormessage .= $Lang::tr{'email invalid mailfqdn'} . "<br>";
 	}
 	#Check valid mailserverport
 	if($cgiparams{'txt_mailport'} < 1 || $cgiparams{'txt_mailport'} > 65535){
-		$errormessage.="$Lang::tr{'email invalid mailport'} $cgiparams{'txt_mailport'}<br>";
+		$errormessage .= $Lang::tr{'email invalid mailport'} . "<br>";
 	}
 	#Check valid sender
 	if(! $cgiparams{'txt_mailsender'}){
-		$errormessage.="$Lang::tr{'email empty field'} $Lang::tr{'email mailsender'}<br>";
+		$errormessage .= $Lang::tr{'email empty field'} . "<br>";
 	}else{
 		if (! &General::validemail($cgiparams{'txt_mailsender'})){
-			$errormessage.="<br>$Lang::tr{'email invalid'} $Lang::tr{'email mailsender'}<br>";
+			$errormessage .= "$Lang::tr{'email invalid'} $Lang::tr{'email mailsender'}<br>";
 		}
 	}
 	return $errormessage;