From 1db85df0db7c1dc6a5377cf871c6134496b6da03 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sat, 25 Apr 2020 09:44:04 +0200
Subject: [PATCH] [Web] Fix time limited alias creation via API, thanks to
 @ntimo

---
 data/web/inc/functions.mailbox.inc.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 746779ee..7f7cf66b 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -43,9 +43,15 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          $stmt = $pdo->prepare("SELECT `domain` FROM `mailbox` WHERE `username` = :username");
-          $stmt->execute(array(':username' => $_SESSION['mailcow_cc_username']));
-          $domain = $stmt->fetch(PDO::FETCH_ASSOC)['domain'];
+          $domain = mailbox('get', 'mailbox_details', $username)
+          if (!is_valid_domain_name($domain)) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+              'msg' => 'domain_invalid'
+            );
+            return false;
+          }
           $validity = strtotime("+".$_data["validity"]." hour");
           $letters = 'abcefghijklmnopqrstuvwxyz1234567890';
           $random_name = substr(str_shuffle($letters), 0, 24);
@@ -59,7 +65,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $_SESSION['return'][] = array(
             'type' => 'success',
             'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-            'msg' => array('mailbox_modified', htmlspecialchars($_SESSION['mailcow_cc_username']))
+            'msg' => array('mailbox_modified', $username)
           );
         break;
         case 'global_filter':