amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-05-19 18:35:25 +00:00
Code Issues Projects Releases Wiki Activity

fix(security): Security fix for WSTG-INPV-02. Add XSS protection on identity fullName. Fixes #5642.

Browse Source
This commit is contained in:
smizrahi
2022-11-22 10:54:06 +01:00
parent 1e0f5f0089
commit efac49ae91
1 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SoObjects/SOGo/SOGoUserDefaults.m
+16 -2
View File
@@ -147,7 +147,7 @@ NSString *SOGoPasswordRecoverySecondaryEmail = @"SecondaryEmail";
rc = NO;
if ([fullName length])
[identity setObject: fullName forKey: @"fullName"];
[identity setObject: [fullName stringWithoutHTMLInjection: YES] forKey: @"fullName"];
if ([email length])
[identity setObject: email forKey: @"email"];
if ([replyTo length])
@@ -797,7 +797,21 @@ NSString *SOGoPasswordRecoverySecondaryEmail = @"SecondaryEmail";
- (NSArray *) mailIdentities
{
return [self arrayForKey: @"SOGoMailIdentities"];
NSMutableArray *mailIdentities;
NSMutableDictionary *mailIdentity;
NSUInteger i;
// Remove possible XSS injection
mailIdentities = [NSMutableArray arrayWithArray: [self arrayForKey: @"SOGoMailIdentities"]];
for (i = 0 ; i < [mailIdentities length] ; i++) {
mailIdentity = [mailIdentities objectAtIndex: i];
if ([mailIdentity objectForKey: @"fullName"]) {
[mailIdentity setObject: [[mailIdentity objectForKey: @"fullName"] stringWithoutHTMLInjection: YES] forKey: @"fullName"];
[mailIdentities setObject: mailIdentity atIndexedSubscript: i];
}
}
return mailIdentities;
}
- (void) setMailForceDefaultIdentity: (BOOL) newValue