https://bugs.koozali.org/show_bug.cgi?id=12108
Bug ID: 12108
Summary: untainting
Classification: Contribs
Product: SME Contribs
Version: 10.0
Hardware: ---
OS: ---
Status: CONFIRMED
Severity: normal
Priority: P3
Component: smeserver-mailalias
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected], [email protected]
Depends on: 11757, 11716
Blocks: 12105, 12106, 12107
Target Milestone: ---
Group: security
needs to be adapted to the situation /string we need
see https://perldoc.perl.org/perlunicode
/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/mailalias.pm:
sub performCreateMailalias {
my $fm = shift;
my $q = $fm->{'cgi'};
my $email = uri_unescape($q->param ('email'));
my $domain = uri_unescape($q->param ('domain'));
my $mailalias = uri_unescape($q->param('mailalias'));
my $msg = "OK";
$accounts->new_record($mailalias, { type => 'mailalias',
domain => $domain,
email => $email} )
or $msg = "Error occurred while creating mailalias in database.";
# Untaint $pseudonym before use in system()
($mailalias) = ($mailalias =~ /(.+)/);
not verified !
sub performModifyMailalias {
my $fm = shift;
my $q = $fm->{'cgi'};
my $msg = "OK";
my $mailalias = uri_unescape($q->param ('mailalias'));
my $domain = uri_unescape($q->param ('domain'));
my $email = uri_unescape($q->param ('email'));
my $internal = $q->param ('internal') || 'NO';
my $removable = $accounts->get($mailalias)->prop('Removable') || 'yes';
my @props = ('domain', $domain , 'email',"$email");
if ($removable eq 'yes') {
if ($internal eq "YES")
{$accounts->get($mailalias)->set_prop('Visible','internal'); }
else { $accounts->get($mailalias)->delete_prop('Visible'); }
}
$accounts->get($mailalias)->set_prop('email',"$email")
or $msg = "Error occurred while modifying mailalias in database.";
$accounts->get($mailalias)->set_prop('domain', $domain)
or $msg = "Error occurred while modifying mailalias in database.";
# Untaint $mailalias before use in system()
($mailalias) = ($mailalias =~ /(.+)/);
not verified !!
sub performRemoveMailalias {
my $fm = shift;
my $q = $fm->{'cgi'};
my $msg = "OK";
my $mailalias = uri_unescape($q->param('mailalias'));
unless($fm->validate_is_mailalias($mailalias) eq 'OK') {
$fm->{cgi}->param( -name => 'wherenext', -value => 'InvalidMailalias'
);
return '';
}
#------------------------------------------------------------
# Make the mailalias inactive, signal mailalias-delete event
# and then delete it
#------------------------------------------------------------
# Untaint $mailalias before use in system()
($mailalias) = ($mailalias =~ /(.+)/);
system( "/sbin/e-smith/signal-event", "mailalias-delete", "$mailalias",)
== 0 or $msg = "Error occurred while deleting mailalias.";
/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/mailalias.pm:
($mailalias) = ($mailalias =~ /(.+)/);
not verified !!
--
You are receiving this mail because:
You are the QA Contact for the bug._______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
