From 8bbb3bf64f6af6e87ab570ad99c8c1589c5bb8f1 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Fri, 29 Dec 2023 09:57:37 +0100 Subject: [PATCH] [Web] add validate mailbox name function --- data/web/edit.php | 4 +- data/web/inc/ajax/qitem_details.php | 2 +- data/web/inc/ajax/transport_check.php | 4 +- .../inc/functions.address_rewriting.inc.php | 14 ++-- data/web/inc/functions.app_passwd.inc.php | 2 +- data/web/inc/functions.inc.php | 38 +++++++-- data/web/inc/functions.mailbox.inc.php | 84 +++++++++---------- data/web/inc/functions.policy.inc.php | 2 +- data/web/inc/functions.pushover.inc.php | 2 +- data/web/inc/functions.quarantine.inc.php | 6 +- .../inc/functions.quota_notification.inc.php | 4 +- data/web/inc/functions.transports.inc.php | 4 +- data/web/inc/triggers.inc.php | 2 +- data/web/sogo-auth.php | 6 +- 14 files changed, 93 insertions(+), 81 deletions(-) diff --git a/data/web/edit.php b/data/web/edit.php index 83ae1467e0..00b7e966a5 100644 --- a/data/web/edit.php +++ b/data/web/edit.php @@ -108,7 +108,7 @@ ]; } elseif (isset($_GET['mailbox'])){ - if(filter_var(html_entity_decode(rawurldecode($_GET["mailbox"])), FILTER_VALIDATE_EMAIL) && !empty($_GET["mailbox"])) { + if(is_valid_mailbox_name(html_entity_decode(rawurldecode($_GET["mailbox"])))) { // edit mailbox $mailbox = html_entity_decode(rawurldecode($_GET["mailbox"])); $result = mailbox('get', 'mailbox_details', $mailbox); @@ -146,7 +146,7 @@ $template = 'edit/transport.twig'; $template_data = ['transport' => $transport]; } - elseif (isset($_GET['resource']) && filter_var(html_entity_decode(rawurldecode($_GET["resource"])), FILTER_VALIDATE_EMAIL) && !empty($_GET["resource"])) { + elseif (isset($_GET['resource']) && is_valid_mailbox_name(html_entity_decode(rawurldecode($_GET["resource"])))) { $resource = html_entity_decode(rawurldecode($_GET["resource"])); $result = mailbox('get', 'resource_details', $resource); $template = 'edit/resource.twig'; diff --git a/data/web/inc/ajax/qitem_details.php b/data/web/inc/ajax/qitem_details.php index 1611c82277..405b800ac1 100644 --- a/data/web/inc/ajax/qitem_details.php +++ b/data/web/inc/ajax/qitem_details.php @@ -22,7 +22,7 @@ function rrmdir($src) { function addAddresses(&$list, $mail, $headerName) { $addresses = $mail->getAddresses($headerName); foreach ($addresses as $address) { - if (filter_var($address['address'], FILTER_VALIDATE_EMAIL)) { + if (is_valid_mailbox_name($address['address'])) { $list[] = array('address' => $address['address'], 'type' => $headerName); } } diff --git a/data/web/inc/ajax/transport_check.php b/data/web/inc/ajax/transport_check.php index aa429edf42..b7635b0ef9 100644 --- a/data/web/inc/ajax/transport_check.php +++ b/data/web/inc/ajax/transport_check.php @@ -9,13 +9,13 @@ if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") { $transport_id = intval($_GET['transport_id']); $transport_type = $_GET['transport_type']; - if (isset($_GET['mail_from']) && filter_var($_GET['mail_from'], FILTER_VALIDATE_EMAIL)) { + if (isset($_GET['mail_from']) && is_valid_mailbox_name($_GET['mail_from'])) { $mail_from = $_GET['mail_from']; } else { $mail_from = "relay@example.org"; } - if (isset($_GET['mail_rcpt']) && filter_var($_GET['mail_rcpt'], FILTER_VALIDATE_EMAIL)) { + if (isset($_GET['mail_rcpt']) && is_valid_mailbox_name($_GET['mail_rcpt'])) { $mail_rcpt = $_GET['mail_rcpt']; } else { diff --git a/data/web/inc/functions.address_rewriting.inc.php b/data/web/inc/functions.address_rewriting.inc.php index 140ae47647..e2bba9d0cd 100644 --- a/data/web/inc/functions.address_rewriting.inc.php +++ b/data/web/inc/functions.address_rewriting.inc.php @@ -47,7 +47,7 @@ function bcc($_action, $_data = null, $_attr = null) { $domain = idn_to_ascii($local_dest, 0, INTL_IDNA_VARIANT_UTS46); $local_dest_sane = '@' . idn_to_ascii($local_dest, 0, INTL_IDNA_VARIANT_UTS46); } - elseif (filter_var($local_dest, FILTER_VALIDATE_EMAIL)) { + elseif (is_valid_mailbox_name($local_dest)) { $mailbox = mailbox('get', 'mailbox_details', $local_dest); $shared_aliases = mailbox('get', 'shared_aliases'); $direct_aliases = mailbox('get', 'direct_aliases'); @@ -74,7 +74,7 @@ function bcc($_action, $_data = null, $_attr = null) { else { return false; } - if (!filter_var($bcc_dest, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($bcc_dest)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_data, $_attr), @@ -137,7 +137,7 @@ function bcc($_action, $_data = null, $_attr = null) { ); continue; } - if (!filter_var($bcc_dest, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($bcc_dest)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_data, $_attr), @@ -274,7 +274,7 @@ function recipient_map($_action, $_data = null, $attr = null) { if (is_valid_domain_name($old_dest)) { $old_dest_sane = '@' . idn_to_ascii($old_dest, 0, INTL_IDNA_VARIANT_UTS46); } - elseif (filter_var($old_dest, FILTER_VALIDATE_EMAIL)) { + elseif (is_valid_mailbox_name($old_dest)) { $old_dest_sane = $old_dest; } else { @@ -285,7 +285,7 @@ function recipient_map($_action, $_data = null, $attr = null) { ); return false; } - if (!filter_var($new_dest, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($new_dest)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_data, $_attr), @@ -340,7 +340,7 @@ function recipient_map($_action, $_data = null, $attr = null) { if (is_valid_domain_name($old_dest)) { $old_dest_sane = '@' . idn_to_ascii($old_dest, 0, INTL_IDNA_VARIANT_UTS46); } - elseif (filter_var($old_dest, FILTER_VALIDATE_EMAIL)) { + elseif (is_valid_mailbox_name($old_dest)) { $old_dest_sane = $old_dest; } else { @@ -351,7 +351,7 @@ function recipient_map($_action, $_data = null, $attr = null) { ); continue; } - if (!filter_var($new_dest, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($new_dest)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_data, $_attr), diff --git a/data/web/inc/functions.app_passwd.inc.php b/data/web/inc/functions.app_passwd.inc.php index b493fc9145..a42b4c5625 100644 --- a/data/web/inc/functions.app_passwd.inc.php +++ b/data/web/inc/functions.app_passwd.inc.php @@ -5,7 +5,7 @@ function app_passwd($_action, $_data = null) { $_data_log = $_data; !isset($_data_log['app_passwd']) ?: $_data_log['app_passwd'] = '*'; !isset($_data_log['app_passwd2']) ?: $_data_log['app_passwd2'] = '*'; - if (isset($_data['username']) && filter_var($_data['username'], FILTER_VALIDATE_EMAIL)) { + if (isset($_data['username']) && is_valid_mailbox_name($_data['username'])) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data['username'])) { $_SESSION['return'][] = array( 'type' => 'danger', diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 3cff09b95a..0f3500f0a6 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -257,7 +257,7 @@ function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) { $sasl_limit_days = intval($sasl_limit_days); switch ($action) { case 'get': - if (filter_var($username, FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { + if (is_valid_mailbox_name($username) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { $stmt = $pdo->prepare('SELECT `real_rip`, MAX(`datetime`) as `datetime`, `service`, `app_password`, MAX(`app_passwd`.`name`) as `app_password_name` FROM `sasl_log` LEFT OUTER JOIN `app_passwd` on `sasl_log`.`app_password` = `app_passwd`.`id` WHERE `username` = :username @@ -333,7 +333,7 @@ function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) { return array('ui' => $ui, 'sasl' => $sasl); break; case 'reset': - if (filter_var($username, FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { + if (is_valid_mailbox_name($username) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { $stmt = $pdo->prepare('DELETE FROM `sasl_log` WHERE `username` = :username'); $stmt->execute(array(':username' => $username)); @@ -376,7 +376,7 @@ function sys_mail($_data) { $mass_text = $_data['mass_text']; $mass_html = $_data['mass_html']; $mass_subject = $_data['mass_subject']; - if (!filter_var($mass_from, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($mass_from)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__), @@ -538,7 +538,7 @@ function logger($_data = false) { } function hasDomainAccess($username, $role, $domain) { global $pdo; - if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { + if (!is_valid_mailbox_name($username) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { return false; } if (empty($domain) || !is_valid_domain_name($domain)) { @@ -580,7 +580,7 @@ function hasMailboxObjectAccess($username, $role, $object) { if (empty($username) || empty($role) || empty($object)) { return false; } - if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { + if (!is_valid_mailbox_name(html_entity_decode(rawurldecode($username))) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { return false; } if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') { @@ -603,7 +603,7 @@ function hasAliasObjectAccess($username, $role, $object) { if (empty($username) || empty($role) || empty($object)) { return false; } - if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { + if (!is_valid_mailbox_name(html_entity_decode(rawurldecode($username))) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { return false; } if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') { @@ -816,7 +816,7 @@ function check_login($user, $pass, $app_passwd_data = false) { global $redis; global $imap_server; - if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) { + if (!is_valid_mailbox_name($user) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $user, '*'), @@ -1080,7 +1080,7 @@ function edit_user_account($_data) { $username = $_SESSION['mailcow_cc_username']; $role = $_SESSION['mailcow_cc_role']; $password_old = $_data['user_old_pass']; - if (filter_var($username, FILTER_VALIDATE_EMAIL === false) || $role != 'user') { + if (!is_valid_mailbox_name($username) || $role != 'user') { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_data_log), @@ -1132,7 +1132,7 @@ function user_get_alias_details($username) { if ($_SESSION['mailcow_cc_role'] == "user") { $username = $_SESSION['mailcow_cc_username']; } - if (!filter_var($username, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($username)) { return false; } if (!hasMailboxObjectAccess($username, $_SESSION['mailcow_cc_role'], $username)) { @@ -1209,6 +1209,26 @@ function is_valid_domain_name($domain_name) { && preg_match("/^.{1,253}$/", $domain_name) && preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name)); } +function is_valid_mailbox_name($mailbox_name) { + if (empty($mailbox_name)) { + return false; + } + if (!filter_var($mailbox_name, FILTER_VALIDATE_EMAIL)) { + return false; + } + if (preg_match('/\//', $mailbox_name)) { + return false; + } + $mailbox_parts = explode('@', $mailbox_name); + if (count($mailbox_parts) != 2){ + return false; + } + if ($mailbox_parts[0] == '' || $mailbox_parts[1] == '') { + return false; + } + + return true; +} function set_tfa($_data) { global $pdo; global $yubi; diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index e965feafb8..02111328c2 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -19,7 +19,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); return false; } - if (isset($_data['username']) && filter_var($_data['username'], FILTER_VALIDATE_EMAIL)) { + if (isset($_data['username']) && is_valid_mailbox_name($_data['username'])) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data['username'])) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -194,7 +194,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); return false; } - if (isset($_data['username']) && filter_var($_data['username'], FILTER_VALIDATE_EMAIL)) { + if (isset($_data['username']) && is_valid_mailbox_name($_data['username'])) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data['username'])) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -292,7 +292,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); return false; } - if (isset($_data['username']) && filter_var($_data['username'], FILTER_VALIDATE_EMAIL)) { + if (isset($_data['username']) && is_valid_mailbox_name($_data['username'])) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data['username'])) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -731,7 +731,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { unset($gotos[$i]); continue; } - if (!filter_var($goto, FILTER_VALIDATE_EMAIL) === true) { + if (!is_valid_mailbox_name($goto) === true) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -809,7 +809,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); continue; } - if ((!filter_var($address, FILTER_VALIDATE_EMAIL) === true) && !empty($local_part)) { + if ((!is_valid_mailbox_name($address) === true) && !empty($local_part)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -827,7 +827,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { } $stmt = $pdo->prepare("INSERT INTO `alias` (`address`, `public_comment`, `private_comment`, `goto`, `domain`, `sogo_visible`, `active`) VALUES (:address, :public_comment, :private_comment, :goto, :domain, :sogo_visible, :active)"); - if (!filter_var($address, FILTER_VALIDATE_EMAIL) === true) { + if (!is_valid_mailbox_name($address) === true) { $stmt->execute(array( ':address' => '@'.$domain, ':public_comment' => $public_comment, @@ -990,15 +990,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $local_part = strtolower(trim($_data['local_part'])); $domain = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46); $username = $local_part . '@' . $domain; - if (!filter_var($username, FILTER_VALIDATE_EMAIL)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), - 'msg' => 'mailbox_invalid' - ); - return false; - } - if (empty($_data['local_part'])) { + if (!is_valid_mailbox_name($username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1300,7 +1292,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $kind = $_data['kind']; $multiple_bookings = intval($_data['multiple_bookings']); $active = intval($_data['active']); - if (!filter_var($name, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($name)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1666,7 +1658,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { return false; } foreach ($usernames as $username) { - if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { + if (!is_valid_mailbox_name($username) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1720,7 +1712,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { return false; } foreach ($usernames as $username) { - if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { + if (!is_valid_mailbox_name($username) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1779,7 +1771,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { return false; } foreach ($usernames as $username) { - if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { + if (!is_valid_mailbox_name($username) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1950,7 +1942,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { return false; } foreach ($usernames as $username) { - if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { + if (!is_valid_mailbox_name($username) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -2373,7 +2365,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); continue; } - if ((!filter_var($address, FILTER_VALIDATE_EMAIL) === true) && !empty($local_part)) { + if ((!is_valid_mailbox_name($address) === true)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -2443,7 +2435,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { if (empty($goto)) { continue; } - if (!filter_var($goto, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($goto)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -2823,7 +2815,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $usernames = $_data['username']; } foreach ($usernames as $username) { - if (!filter_var($username, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -2916,7 +2908,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { if (substr($extra_acl, 0, 1) === "@") { $extra_acl = ltrim($extra_acl, '@'); } - if (!filter_var($extra_acl, FILTER_VALIDATE_EMAIL) && !is_valid_domain_name($extra_acl)) { + if (!is_valid_mailbox_name($extra_acl) && !is_valid_domain_name($extra_acl)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -2926,7 +2918,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { continue; } $domains = array_merge(mailbox('get', 'domains'), mailbox('get', 'alias_domains')); - if (filter_var($extra_acl, FILTER_VALIDATE_EMAIL)) { + if (is_valid_mailbox_name($extra_acl)) { $extra_acl_domain = idn_to_ascii(substr(strstr($extra_acl, '@'), 1), 0, INTL_IDNA_VARIANT_UTS46); if (in_array($extra_acl_domain, $domains)) { $_SESSION['return'][] = array( @@ -2994,7 +2986,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { // Check items in POST array and skip invalid foreach ($sender_acl_domain_admin as $key => $val) { // Check for invalid domain or email format or not * - if (!filter_var($val, FILTER_VALIDATE_EMAIL) && !is_valid_domain_name(ltrim($val, '@')) && $val != '*') { + if (!is_valid_mailbox_name($val) && !is_valid_domain_name(ltrim($val, '@')) && $val != '*') { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -3040,7 +3032,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { continue; } // Check if user has alias access (if object is email) - if (filter_var($val, FILTER_VALIDATE_EMAIL)) { + if (is_valid_mailbox_name($val)) { if (!hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $val)) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -3274,7 +3266,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $mailboxes = is_array($_data['mailboxes']) ? $_data['mailboxes'] : array($_data['mailboxes']); foreach ($mailboxes as $mailbox) { - if (!filter_var($mailbox, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($mailbox)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -3344,7 +3336,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); continue; } - if (!filter_var($name, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($name)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -3417,7 +3409,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $_data["mbox_exclude"] = array($_data["mbox_exclude"]); } foreach ($_data["mbox_exclude"] as $mailbox) { - if (!filter_var($mailbox, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($mailbox)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -3550,11 +3542,11 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $stmt->execute(array(':logged_in_as' => $_data)); $address_rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while ($address_row = array_shift($address_rows)) { - if (filter_var($address_row['send_as'], FILTER_VALIDATE_EMAIL) && !hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $address_row['send_as'])) { + if (is_valid_mailbox_name($address_row['send_as']) && !hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $address_row['send_as'])) { $data['sender_acl_addresses']['ro'][] = $address_row['send_as']; continue; } - if (filter_var($address_row['send_as'], FILTER_VALIDATE_EMAIL) && hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $address_row['send_as'])) { + if (is_valid_mailbox_name($address_row['send_as']) && hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $address_row['send_as'])) { $data['sender_acl_addresses']['rw'][] = $address_row['send_as']; continue; } @@ -3604,7 +3596,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { if (in_array($row['address'], $data['fixed_sender_aliases'])) { continue; } - if (filter_var($row['address'], FILTER_VALIDATE_EMAIL) && hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row['address'])) { + if (is_valid_mailbox_name($row['address']) && hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row['address'])) { $data['sender_acl_addresses']['selectable'][] = $row['address']; } } @@ -3664,7 +3656,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { break; case 'tls_policy': $attrs = array(); - if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { + if (isset($_data) && is_valid_mailbox_name($_data)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } @@ -3683,7 +3675,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { break; case 'quarantine_notification': $attrs = array(); - if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { + if (isset($_data) && is_valid_mailbox_name($_data)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } @@ -3699,7 +3691,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { break; case 'quarantine_category': $attrs = array(); - if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { + if (isset($_data) && is_valid_mailbox_name($_data)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } @@ -3715,7 +3707,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { break; case 'filters': $filters = array(); - if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { + if (isset($_data) && is_valid_mailbox_name($_data)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } @@ -3762,7 +3754,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { break; case 'active_user_sieve': $filter_details = array(); - if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { + if (isset($_data) && is_valid_mailbox_name($_data)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } @@ -3838,7 +3830,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { break; case 'syncjobs': $syncjobdata = array(); - if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { + if (isset($_data) && is_valid_mailbox_name($_data)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } @@ -3897,7 +3889,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { } curl_close($curl); $policydata = array(); - if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { + if (isset($_data) && is_valid_mailbox_name($_data)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } @@ -3924,7 +3916,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { break; case 'time_limited_aliases': $tladata = array(); - if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { + if (isset($_data) && is_valid_mailbox_name($_data)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } @@ -3946,7 +3938,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { break; case 'delimiter_action': $policydata = array(); - if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { + if (isset($_data) && is_valid_mailbox_name($_data)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } @@ -4087,7 +4079,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $aliasdata['domain'] = $row['domain']; $aliasdata['goto'] = $row['goto']; $aliasdata['address'] = $row['address']; - (!filter_var($aliasdata['address'], FILTER_VALIDATE_EMAIL)) ? $aliasdata['is_catch_all'] = 1 : $aliasdata['is_catch_all'] = 0; + (!is_valid_mailbox_name($aliasdata['address'])) ? $aliasdata['is_catch_all'] = 1 : $aliasdata['is_catch_all'] = 0; $aliasdata['active'] = $row['active']; $aliasdata['active_int'] = $row['active']; $aliasdata['sogo_visible'] = $row['sogo_visible']; @@ -5118,7 +5110,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $usernames = $_data['username']; } foreach ($usernames as $username) { - if (!filter_var($username, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -5361,7 +5353,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $names = $_data['name']; } foreach ($names as $name) { - if (!filter_var($name, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($name)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -5478,7 +5470,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $wasModified = false; foreach ($usernames as $username) { - if (!filter_var($username, FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), diff --git a/data/web/inc/functions.policy.inc.php b/data/web/inc/functions.policy.inc.php index 498f991f72..fcbaeaca52 100644 --- a/data/web/inc/functions.policy.inc.php +++ b/data/web/inc/functions.policy.inc.php @@ -292,7 +292,7 @@ function policy($_action, $_scope, $_data = null) { return $rows; break; case 'mailbox': - if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { + if (isset($_data) && is_valid_mailbox_name($_data)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } diff --git a/data/web/inc/functions.pushover.inc.php b/data/web/inc/functions.pushover.inc.php index 5393c0d5ef..619e97b11d 100644 --- a/data/web/inc/functions.pushover.inc.php +++ b/data/web/inc/functions.pushover.inc.php @@ -74,7 +74,7 @@ function pushover($_action, $_data = null) { if (empty($sender)) { continue; } - if (!filter_var($sender, FILTER_VALIDATE_EMAIL) === true) { + if (!is_valid_mailbox_name($sender) === true) { unset($senders[$i]); continue; } diff --git a/data/web/inc/functions.quarantine.inc.php b/data/web/inc/functions.quarantine.inc.php index f4f49de493..aba09023ac 100644 --- a/data/web/inc/functions.quarantine.inc.php +++ b/data/web/inc/functions.quarantine.inc.php @@ -308,19 +308,19 @@ function quarantine($_action, $_data = null) { } $max_age = intval($_data['max_age']); $subject = $_data['subject']; - if (!filter_var($_data['bcc'], FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($_data['bcc'])) { $bcc = ''; } else { $bcc = $_data['bcc']; } - if (!filter_var($_data['redirect'], FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($_data['redirect'])) { $redirect = ''; } else { $redirect = $_data['redirect']; } - if (!filter_var($_data['sender'], FILTER_VALIDATE_EMAIL)) { + if (!is_valid_mailbox_name($_data['sender'])) { $sender = ''; } else { diff --git a/data/web/inc/functions.quota_notification.inc.php b/data/web/inc/functions.quota_notification.inc.php index 9f58bfb4ac..61ac4a39e0 100644 --- a/data/web/inc/functions.quota_notification.inc.php +++ b/data/web/inc/functions.quota_notification.inc.php @@ -21,7 +21,7 @@ function quota_notification($_action, $_data = null) { } $subject = $_data['subject']; $sender = preg_replace('/[\x00-\x1F\x80-\xFF]/', '', $_data['sender']); - if (filter_var($sender, FILTER_VALIDATE_EMAIL) === false) { + if (is_valid_mailbox_name($sender) === false) { $sender = ''; } $html = $_data['html_tmpl']; @@ -91,7 +91,7 @@ function quota_notification_bcc($_action, $_data = null) { $bcc_rcpts = array_map('trim', preg_split( "/( |,|;|\n)/", $_data['bcc_rcpt'])); foreach ($bcc_rcpts as $i => &$rcpt) { $rcpt = preg_replace('/[\x00-\x1F\x80-\xFF]/', '', $rcpt); - if (!empty($rcpt) && filter_var($rcpt, FILTER_VALIDATE_EMAIL) === false) { + if (is_valid_mailbox_name($rcpt) === false) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_data_log), diff --git a/data/web/inc/functions.transports.inc.php b/data/web/inc/functions.transports.inc.php index 05ad25d859..dd26788918 100644 --- a/data/web/inc/functions.transports.inc.php +++ b/data/web/inc/functions.transports.inc.php @@ -238,7 +238,7 @@ function transport($_action, $_data = null) { continue; } // ".domain" is a valid destination, "..domain" is not - if ($is_mx_based == 0 && (empty($dest) || (is_valid_domain_name(preg_replace('/^' . preg_quote('.', '/') . '/', '', $dest)) === false && $dest != '*' && filter_var($dest, FILTER_VALIDATE_EMAIL) === false))) { + if ($is_mx_based == 0 && (empty($dest) || (is_valid_domain_name(preg_replace('/^' . preg_quote('.', '/') . '/', '', $dest)) === false && $dest != '*' && is_valid_mailbox_name($dest) === false))) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_data_log), @@ -362,7 +362,7 @@ function transport($_action, $_data = null) { } } } - if ($is_mx_based == 0 && (empty($destination) || (is_valid_domain_name(preg_replace('/^' . preg_quote('.', '/') . '/', '', $destination)) === false && $destination != '*' && filter_var($destination, FILTER_VALIDATE_EMAIL) === false))) { + if ($is_mx_based == 0 && (empty($destination) || (is_valid_domain_name(preg_replace('/^' . preg_quote('.', '/') . '/', '', $destination)) === false && $destination != '*' && is_valid_mailbox_name($destination) === false))) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_data_log), diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php index 6922429b83..77d38d3471 100644 --- a/data/web/inc/triggers.inc.php +++ b/data/web/inc/triggers.inc.php @@ -83,7 +83,7 @@ if (isset($_SESSION['mailcow_cc_role']) && (isset($_SESSION['acl']['login_as']) && $_SESSION['acl']['login_as'] == "1")) { if (isset($_GET["duallogin"])) { $duallogin = html_entity_decode(rawurldecode($_GET["duallogin"])); - if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) { + if (is_valid_mailbox_name($duallogin)) { if (!empty(mailbox('get', 'mailbox_details', $duallogin))) { $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username']; $_SESSION["dual-login"]["role"] = $_SESSION['mailcow_cc_role']; diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php index 40fff58563..d37fe0725b 100644 --- a/data/web/sogo-auth.php +++ b/data/web/sogo-auth.php @@ -45,7 +45,7 @@ $login = html_entity_decode(rawurldecode($_GET["login"])); if (isset($_SESSION['mailcow_cc_role']) && (($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0) || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) { - if (filter_var($login, FILTER_VALIDATE_EMAIL)) { + if (is_valid_mailbox_name($login)) { if (user_get_alias_details($login) !== false) { // load master password $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); @@ -71,6 +71,7 @@ } // only check for admin-login on sogo GUI requests elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0) { + require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php'; // this is an nginx auth_request call, we check for existing sogo-sso session variables session_start(); // extract email address from "/SOGo/so/user@domain/xy" @@ -83,8 +84,7 @@ foreach($email_list as $email) { // check if this email is in session allowed list if ( - !empty($email) && - filter_var($email, FILTER_VALIDATE_EMAIL) && + is_valid_mailbox_name($email) && is_array($_SESSION[$session_var_user_allowed]) && in_array($email, $_SESSION[$session_var_user_allowed]) ) {