Enhance security

[qtadmin.git] / quarantine.php

diff --git a/quarantine.php b/quarantine.php
index 14e07e7a4f1883b29b2b27c30f81b5bdfdb45593..7bda56d66d090903397e7a6e5f0fe0d3e60f9f28 100644 (file)
--- a/quarantine.php
+++ b/quarantine.php
@@ -14,7 +14,7 @@
         echo $util->getFooter();
     }
 
-    function handleRequest($request, $ids) {
+    function handleRequest($util, $request, $ids) {
         global $CFG;
 
         $query = array();
@@ -22,7 +22,7 @@
             $mail_id = urldecode($id);
             $mail = unserialize($_SESSION['mailInfo']["$mail_id"]);
 
-            if (true == $util->authorized($mail->recipient)) {
+            if (is_object($mail) && true == $util->authorized($mail->recipient)) {
                 $secret_id = $mail->secret_id;
                 $recipient = $mail->recipient;
 
@@ -70,7 +70,7 @@
     $request = isset($_GET['op']) ? $_GET['op'] : '';
     if ($loggedIn && isset($_GET['id'])) {
         $ids = explode(',', $_GET['id']);
-        $query = handleRequest($request, $ids);
+        $query = handleRequest($util, $request, $ids);
         $success = $DB->update($query);
         if (! $success) {
             error("Message not released, contact administrator [$query]");
@@ -84,7 +84,7 @@
         $error = array();
         foreach ($marked as $mail_id) {
             $mail = $DB->getMail($mail_id);
-            if (true == $util->authorized($mail->recipient)) {
+            if (is_object($mail) && true == $util->authorized($mail->recipient)) {
                 $query[] = "delete from msgs where mail_id = '$mail_id'";
                 $query[] = "delete from msgrcpt where mail_id = '$mail_id'";
                 $query[] = "delete from quarantine where mail_id = '$mail_id'";