webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

mail.cgi: Fixes bug 13891

Browse Source 
commit 89585e76a2cade43c5fa397f4e2b86f605439659
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Thu Sep 25 17:19:59 2025 +0200

    mail.cgi: Escape username/password in the right place

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit 43b4ba3768db5e46b95c263accb5b26e90df8a08
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Thu Sep 25 13:12:49 2025 +0200

    mail.cgi: Fixes bug 13891

    Fixes: bug 13891 - mail.cgi txt_mailuser txt_mailpass Stored Cross-Site Scripting
    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This commit is contained in:
Vincent Li
2025-10-03 22:18:56 +00:00
parent 993dbbbd75
commit aba6bc1e84
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
html/cgi-bin/mail.cgi
View File

@@ -2,7 +2,7 @@
############################################################################### ###############################################################################
# # # #
# IPFire.org - A linux based firewall # # IPFire.org - A linux based firewall #
# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # # Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# # # #
# This program is free software: you can redistribute it and/or modify # # This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by # # it under the terms of the GNU General Public License as published by #
@@ -218,11 +218,13 @@ END
</tr> </tr>
<tr> <tr>
<td>$Lang::tr{'email mailuser'}</td> <td>$Lang::tr{'email mailuser'}</td>
<td><input type='text' name='txt_mailuser' value='$auth{'AUTHNAME'}' style='width:22em;'></td> <td><input type='text' name='txt_mailuser'
value='@{[ &Header::escape($auth{'AUTHNAME'}) ]}' style='width:22em;'></td>
</tr> </tr>
<tr> <tr>
<td>$Lang::tr{'email mailpass'}</td> <td>$Lang::tr{'email mailpass'}</td>
<td><input type='password' name='txt_mailpass' value='$auth{'AUTHPASS'}' style='width:22em;' ></td> <td><input type='password' name='txt_mailpass'
value='@{[ &Header::escape($auth{'AUTHPASS'}) ]}' style='width:22em;' ></td>
</tr> </tr>
<tr> <tr>
<td>$Lang::tr{'email tls'}</td> <td>$Lang::tr{'email tls'}</td>