Applied security patches by Kees Cook (Ubuntu) + little visual enhancements

git-svn-id: https://svn.roundcube.net/trunk@425 208e9e7b-5314-0410-a742-e7e81cd9613c
author: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2006-12-22 21:45:21 +0000
committer: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2006-12-22 21:45:21 +0000
commit: fbf02ab360cbe003b9b90efb878969d82a3fc240 (patch)
tree: 3304274f10ad0fda2b49a307b38d1cd755ac94bc /roundcubemail/program/include
parent: 55491988926ec76a2a31914c3eb766790ca82b06 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/roundcubemail/program/include/main.inc b/roundcubemail/program/include/main.inc
index c57aa8a9f..a1c00d340 100644
--- a/roundcubemail/program/include/main.inc
+++ b/roundcubemail/program/include/main.inc
@@ -450,6 +450,26 @@ function rcmail_login($user, $pass, $host=NULL)
   if (!$host)
     $host = $CONFIG['default_host'];
 
+  // Validate that selected host is in the list of configured hosts
+  if (is_array($CONFIG['default_host']))
+    {
+    $allowed = FALSE;
+    foreach ($CONFIG['default_host'] as $key => $host_allowed)
+      {
+      if (!is_numeric($key))
+        $host_allowed = $key;
+      if ($host == $host_allowed)
+        {
+        $allowed = TRUE;
+        break;
+        }
+      }
+    if (!$allowed)
+      return FALSE;
+    }
+  else if (!empty($CONFIG['default_host']) && $host != $CONFIG['default_host'])
+    return FALSE;
+
   // parse $host URL
   $a_host = parse_url($host);
   if ($a_host['host'])
author	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2006-12-22 21:45:21 +0000
committer	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2006-12-22 21:45:21 +0000
commit	fbf02ab360cbe003b9b90efb878969d82a3fc240 (patch)
tree	3304274f10ad0fda2b49a307b38d1cd755ac94bc /roundcubemail/program/include
parent	55491988926ec76a2a31914c3eb766790ca82b06 (diff)