7x31/mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Web] Fix BCC validation for aliases

Browse Source
This commit is contained in:
andryyy
2021-06-05 08:40:55 +02:00
parent 51b32bc4c0
commit 7050d7c259
3 changed files with 19 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
data/web/inc/functions.inc.php
View File

@@ -548,16 +548,17 @@ function hasMailboxObjectAccess($username, $role, $object) {
}
function hasAliasObjectAccess($username, $role, $object) {
global $pdo;
if (empty($username) || empty($role) || empty($object)) {
return false;
}
if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
return false;
}
if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') {
return false;
}
if ($username == $object) {
return true;
}
$stmt = $pdo->prepare("SELECT `domain` FROM `alias` WHERE `address` = :object");
// Do not verify mailboxes
$stmt = $pdo->prepare("SELECT `domain` FROM `alias` WHERE `address` = :object AND `address` != `goto`");
$stmt->execute(array(':object' => $object));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if (isset($row['domain']) && hasDomainAccess($username, $role, $row['domain'])) {
@@ -1031,7 +1032,7 @@ function user_get_alias_details($username) {
if (empty($row['ad_alias'])) {
continue;
}
$data['direct_aliases'][$row['ad_alias']]['public_comment'] = '<span data-toggle="tooltip" title="' . $lang['add']['alias_domain'] . '">' . $row['alias_domain'] . '</span>';
$data['direct_aliases'][$row['ad_alias']]['public_comment'] = $lang['add']['alias_domain'];
$data['alias_domains'][] = $row['alias_domain'];
}
$stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(`send_as` SEPARATOR ', '), '') AS `send_as` FROM `sender_acl` WHERE `logged_in_as` = :username AND `send_as` NOT LIKE '@%';");