Dangerous! XSS vulnerability

Thomas Bruederli roundcube at gmail.com
Fri Feb 16 15:25:55 CET 2007


2007/2/16, till <klimpong at gmail.com>:
> On 2/16/07, Robin Elfrink <elfrink at introweb.nl> wrote:
> > > http://trac.roundcube.net/trac.cgi/ticket/1484254
> >
> > The only thing I'm not sure about is charset conversions. I have no
> > experience with those. Are special charset thingies used in mailbox names?
>
> Maybe? We *should* probably test and see what happens when.

The mbox parameter should only contain UTF-7 representations of the
mailboxes. We don't need to care about charset conversion here.
  if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GET))
should fix this isse.

~Thomas




More information about the Dev mailing list