Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Web] add validate mailbox name function #5619

Open
wants to merge 1 commit into
base: staging
Choose a base branch
from
Open

[Web] add validate mailbox name function #5619

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions data/web/edit.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@
];
}
elseif (isset($_GET['mailbox'])){
if(filter_var(html_entity_decode(rawurldecode($_GET["mailbox"])), FILTER_VALIDATE_EMAIL) && !empty($_GET["mailbox"])) {
if(is_valid_mailbox_name(html_entity_decode(rawurldecode($_GET["mailbox"])))) {
// edit mailbox
$mailbox = html_entity_decode(rawurldecode($_GET["mailbox"]));
$result = mailbox('get', 'mailbox_details', $mailbox);
Expand Down Expand Up @@ -146,7 +146,7 @@
$template = 'edit/transport.twig';
$template_data = ['transport' => $transport];
}
elseif (isset($_GET['resource']) && filter_var(html_entity_decode(rawurldecode($_GET["resource"])), FILTER_VALIDATE_EMAIL) && !empty($_GET["resource"])) {
elseif (isset($_GET['resource']) && is_valid_mailbox_name(html_entity_decode(rawurldecode($_GET["resource"])))) {
$resource = html_entity_decode(rawurldecode($_GET["resource"]));
$result = mailbox('get', 'resource_details', $resource);
$template = 'edit/resource.twig';
Expand Down
2 changes: 1 addition & 1 deletion data/web/inc/ajax/qitem_details.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ function rrmdir($src) {
function addAddresses(&$list, $mail, $headerName) {
$addresses = $mail->getAddresses($headerName);
foreach ($addresses as $address) {
if (filter_var($address['address'], FILTER_VALIDATE_EMAIL)) {
if (is_valid_mailbox_name($address['address'])) {
$list[] = array('address' => $address['address'], 'type' => $headerName);
}
}
Expand Down
4 changes: 2 additions & 2 deletions data/web/inc/ajax/transport_check.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@
if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") {
$transport_id = intval($_GET['transport_id']);
$transport_type = $_GET['transport_type'];
if (isset($_GET['mail_from']) && filter_var($_GET['mail_from'], FILTER_VALIDATE_EMAIL)) {
if (isset($_GET['mail_from']) && is_valid_mailbox_name($_GET['mail_from'])) {
$mail_from = $_GET['mail_from'];
}
else {
$mail_from = "[email protected]";
}
if (isset($_GET['mail_rcpt']) && filter_var($_GET['mail_rcpt'], FILTER_VALIDATE_EMAIL)) {
if (isset($_GET['mail_rcpt']) && is_valid_mailbox_name($_GET['mail_rcpt'])) {
$mail_rcpt = $_GET['mail_rcpt'];
}
else {
Expand Down
14 changes: 7 additions & 7 deletions data/web/inc/functions.address_rewriting.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ function bcc($_action, $_data = null, $_attr = null) {
$domain = idn_to_ascii($local_dest, 0, INTL_IDNA_VARIANT_UTS46);
$local_dest_sane = '@' . idn_to_ascii($local_dest, 0, INTL_IDNA_VARIANT_UTS46);
}
elseif (filter_var($local_dest, FILTER_VALIDATE_EMAIL)) {
elseif (is_valid_mailbox_name($local_dest)) {
$mailbox = mailbox('get', 'mailbox_details', $local_dest);
$shared_aliases = mailbox('get', 'shared_aliases');
$direct_aliases = mailbox('get', 'direct_aliases');
Expand All @@ -74,7 +74,7 @@ function bcc($_action, $_data = null, $_attr = null) {
else {
return false;
}
if (!filter_var($bcc_dest, FILTER_VALIDATE_EMAIL)) {
if (!is_valid_mailbox_name($bcc_dest)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_data, $_attr),
Expand Down Expand Up @@ -137,7 +137,7 @@ function bcc($_action, $_data = null, $_attr = null) {
);
continue;
}
if (!filter_var($bcc_dest, FILTER_VALIDATE_EMAIL)) {
if (!is_valid_mailbox_name($bcc_dest)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_data, $_attr),
Expand Down Expand Up @@ -274,7 +274,7 @@ function recipient_map($_action, $_data = null, $attr = null) {
if (is_valid_domain_name($old_dest)) {
$old_dest_sane = '@' . idn_to_ascii($old_dest, 0, INTL_IDNA_VARIANT_UTS46);
}
elseif (filter_var($old_dest, FILTER_VALIDATE_EMAIL)) {
elseif (is_valid_mailbox_name($old_dest)) {
$old_dest_sane = $old_dest;
}
else {
Expand All @@ -285,7 +285,7 @@ function recipient_map($_action, $_data = null, $attr = null) {
);
return false;
}
if (!filter_var($new_dest, FILTER_VALIDATE_EMAIL)) {
if (!is_valid_mailbox_name($new_dest)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_data, $_attr),
Expand Down Expand Up @@ -340,7 +340,7 @@ function recipient_map($_action, $_data = null, $attr = null) {
if (is_valid_domain_name($old_dest)) {
$old_dest_sane = '@' . idn_to_ascii($old_dest, 0, INTL_IDNA_VARIANT_UTS46);
}
elseif (filter_var($old_dest, FILTER_VALIDATE_EMAIL)) {
elseif (is_valid_mailbox_name($old_dest)) {
$old_dest_sane = $old_dest;
}
else {
Expand All @@ -351,7 +351,7 @@ function recipient_map($_action, $_data = null, $attr = null) {
);
continue;
}
if (!filter_var($new_dest, FILTER_VALIDATE_EMAIL)) {
if (!is_valid_mailbox_name($new_dest)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_data, $_attr),
Expand Down
2 changes: 1 addition & 1 deletion data/web/inc/functions.app_passwd.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ function app_passwd($_action, $_data = null) {
$_data_log = $_data;
!isset($_data_log['app_passwd']) ?: $_data_log['app_passwd'] = '*';
!isset($_data_log['app_passwd2']) ?: $_data_log['app_passwd2'] = '*';
if (isset($_data['username']) && filter_var($_data['username'], FILTER_VALIDATE_EMAIL)) {
if (isset($_data['username']) && is_valid_mailbox_name($_data['username'])) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data['username'])) {
$_SESSION['return'][] = array(
'type' => 'danger',
Expand Down
38 changes: 29 additions & 9 deletions data/web/inc/functions.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) {
$sasl_limit_days = intval($sasl_limit_days);
switch ($action) {
case 'get':
if (filter_var($username, FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
if (is_valid_mailbox_name($username) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
$stmt = $pdo->prepare('SELECT `real_rip`, MAX(`datetime`) as `datetime`, `service`, `app_password`, MAX(`app_passwd`.`name`) as `app_password_name` FROM `sasl_log`
LEFT OUTER JOIN `app_passwd` on `sasl_log`.`app_password` = `app_passwd`.`id`
WHERE `username` = :username
Expand Down Expand Up @@ -333,7 +333,7 @@ function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) {
return array('ui' => $ui, 'sasl' => $sasl);
break;
case 'reset':
if (filter_var($username, FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
if (is_valid_mailbox_name($username) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
$stmt = $pdo->prepare('DELETE FROM `sasl_log`
WHERE `username` = :username');
$stmt->execute(array(':username' => $username));
Expand Down Expand Up @@ -376,7 +376,7 @@ function sys_mail($_data) {
$mass_text = $_data['mass_text'];
$mass_html = $_data['mass_html'];
$mass_subject = $_data['mass_subject'];
if (!filter_var($mass_from, FILTER_VALIDATE_EMAIL)) {
if (!is_valid_mailbox_name($mass_from)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__),
Expand Down Expand Up @@ -538,7 +538,7 @@ function logger($_data = false) {
}
function hasDomainAccess($username, $role, $domain) {
global $pdo;
if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
if (!is_valid_mailbox_name($username) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
return false;
}
if (empty($domain) || !is_valid_domain_name($domain)) {
Expand Down Expand Up @@ -580,7 +580,7 @@ function hasMailboxObjectAccess($username, $role, $object) {
if (empty($username) || empty($role) || empty($object)) {
return false;
}
if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
if (!is_valid_mailbox_name(html_entity_decode(rawurldecode($username))) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
return false;
}
if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') {
Expand All @@ -603,7 +603,7 @@ function hasAliasObjectAccess($username, $role, $object) {
if (empty($username) || empty($role) || empty($object)) {
return false;
}
if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
if (!is_valid_mailbox_name(html_entity_decode(rawurldecode($username))) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
return false;
}
if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') {
Expand Down Expand Up @@ -816,7 +816,7 @@ function check_login($user, $pass, $app_passwd_data = false) {
global $redis;
global $imap_server;

if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
if (!is_valid_mailbox_name($user) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $user, '*'),
Expand Down Expand Up @@ -1080,7 +1080,7 @@ function edit_user_account($_data) {
$username = $_SESSION['mailcow_cc_username'];
$role = $_SESSION['mailcow_cc_role'];
$password_old = $_data['user_old_pass'];
if (filter_var($username, FILTER_VALIDATE_EMAIL === false) || $role != 'user') {
if (!is_valid_mailbox_name($username) || $role != 'user') {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_data_log),
Expand Down Expand Up @@ -1132,7 +1132,7 @@ function user_get_alias_details($username) {
if ($_SESSION['mailcow_cc_role'] == "user") {
$username = $_SESSION['mailcow_cc_username'];
}
if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
if (!is_valid_mailbox_name($username)) {
return false;
}
if (!hasMailboxObjectAccess($username, $_SESSION['mailcow_cc_role'], $username)) {
Expand Down Expand Up @@ -1209,6 +1209,26 @@ function is_valid_domain_name($domain_name) {
&& preg_match("/^.{1,253}$/", $domain_name)
&& preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name));
}
function is_valid_mailbox_name($mailbox_name) {
if (empty($mailbox_name)) {
return false;
}
if (!filter_var($mailbox_name, FILTER_VALIDATE_EMAIL)) {
return false;
}
if (preg_match('/\//', $mailbox_name)) {
return false;
}
$mailbox_parts = explode('@', $mailbox_name);
if (count($mailbox_parts) != 2){
return false;
}
if ($mailbox_parts[0] == '' || $mailbox_parts[1] == '') {
return false;
}

return true;
}
function set_tfa($_data) {
global $pdo;
global $yubi;
Expand Down
Loading