From 2b099ad2fc3663697e45dd16f4b82341e0267c86 Mon Sep 17 00:00:00 2001
From: Michael Rasmussen <mir@datanom.net>
Date: Thu, 11 Jun 2015 18:46:56 +0200
Subject: [PATCH] Enhance security

---
 mail_report.php  | 2 +-
 message_view.php | 2 +-
 quarantine.php   | 4 ++--
 show_headers.php | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/mail_report.php b/mail_report.php
index 60405f7..f8ff4ac 100644
--- a/mail_report.php
+++ b/mail_report.php
@@ -11,7 +11,7 @@
         $id = $_GET['id'];
         $mail = unserialize($_SESSION['mailInfo'][$id]);
 
-        if (false == $util->authorized($mail->recipient)) {
+        if (! is_object($mail) || false == $util->authorized($mail->recipient)) {
             header('Location: index.php');
             exit;
         }
diff --git a/message_view.php b/message_view.php
index e81d984..aa276d8 100644
--- a/message_view.php
+++ b/message_view.php
@@ -13,7 +13,7 @@
 
         $mail = unserialize($_SESSION['mailInfo'][$id]);
 
-        if (false == $util->authorized($mail->recipient)) {
+        if (! is_object($mail) || false == $util->authorized($mail->recipient)) {
             header('Location: index.php');
             exit;
         }
diff --git a/quarantine.php b/quarantine.php
index 14e07e7..788f78a 100644
--- a/quarantine.php
+++ b/quarantine.php
@@ -22,7 +22,7 @@
             $mail_id = urldecode($id);
             $mail = unserialize($_SESSION['mailInfo']["$mail_id"]);
 
-            if (true == $util->authorized($mail->recipient)) {
+            if (is_object($mail) && true == $util->authorized($mail->recipient)) {
                 $secret_id = $mail->secret_id;
                 $recipient = $mail->recipient;
 
@@ -84,7 +84,7 @@
         $error = array();
         foreach ($marked as $mail_id) {
             $mail = $DB->getMail($mail_id);
-            if (true == $util->authorized($mail->recipient)) {
+            if (is_object($mail) && true == $util->authorized($mail->recipient)) {
                 $query[] = "delete from msgs where mail_id = '$mail_id'";
                 $query[] = "delete from msgrcpt where mail_id = '$mail_id'";
                 $query[] = "delete from quarantine where mail_id = '$mail_id'";
diff --git a/show_headers.php b/show_headers.php
index 0ff9a6e..e025ccd 100644
--- a/show_headers.php
+++ b/show_headers.php
@@ -11,7 +11,7 @@
         $id = $_GET['id'];
         $mail = unserialize($_SESSION['mailInfo'][$id]);
 
-        if (false == $util->authorized($mail->recipient)) {
+        if (! is_object($mail) || false == $util->authorized($mail->recipient)) {
             header('Location: index.php');
             exit;
         }
-- 
2.39.2