hotfix imapsync

2022-06-13 12:46:39 +02:00
parent 7ae7f25580
commit 71db83efce
2 changed files with 188 additions and 5 deletions
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -336,9 +336,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          $mins_interval        = $_data['mins_interval'];
          $enc1                 = $_data['enc1'];
          $custom_params        = (empty(trim($_data['custom_params']))) ? '' : trim($_data['custom_params']);
-          // Workaround, fixme
-          if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) {
-            $custom_params = '';
+
+          // validate custom params
+          foreach (explode(' -', $custom_params) as $param){
+            if (str_contains($param, ' ')) {
+              // bad char
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => 'bad character SPACE'
+              );
+              return false;
+            }
+
+            // extract option
+            if (str_contains($param, '=')) $param = explode('=', $param)[0];
+            // remove first char if first char is -
+            if ($param[0] == '-') $param = ltrim($param, $param[0]);
+            
+            // check if param is whitelisted
+            if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
+              // bad option
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => 'bad option '. $param
+              );
+              return false;
+            }
          }
          if (empty($subfolder2)) {
            $subfolder2 = "";
@@ -1764,8 +1789,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              );
              continue;
            }
-            if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) {
-              $custom_params = '';
+
+            // validate custom params
+            foreach (explode(' -', $custom_params) as $param){
+              if (str_contains($param, ' ')) {
+                // bad char
+                $_SESSION['return'][] = array(
+                  'type' => 'danger',
+                  'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                  'msg' => 'bad character SPACE'
+                );
+                return false;
+              }
+  
+              // extract option
+              if (str_contains($param, '=')) $param = explode('=', $param)[0];
+              // remove first char if first char is -
+              if ($param[0] == '-') $param = ltrim($param, $param[0]);
+              
+              // check if param is whitelisted
+              if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
+                // bad option
+                $_SESSION['return'][] = array(
+                  'type' => 'danger',
+                  'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                  'msg' => 'bad option '. $param
+                );
+                return false;
+              }
            }
            if (empty($subfolder2)) {
              $subfolder2 = "";