diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 788b207f..3b8531bd 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -341,7 +341,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
foreach (explode(' -', $custom_params) as $param){
if(empty($param)) continue;
- if (str_contains($param, ' ')) {
+ if (str_contains(explode('=', $param)[0], ' ')) {
// bad char
$_SESSION['return'][] = array(
'type' => 'danger',
@@ -1796,7 +1796,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
foreach (explode(' -', $custom_params) as $param){
if(empty($param)) continue;
- if (str_contains($param, ' ')) {
+ if (str_contains(explode('=', $param)[0], ' ')) {
// bad char
$_SESSION['return'][] = array(
'type' => 'danger',
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index e7d13379..c80c398b 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -3,7 +3,7 @@ function init_db_schema() {
try {
global $pdo;
- $db_version = "04072022_1642";
+ $db_version = "13072022_1700";
$stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -440,7 +440,7 @@ function init_db_schema() {
"spam_score" => "TINYINT(1) NOT NULL DEFAULT '1'",
"spam_policy" => "TINYINT(1) NOT NULL DEFAULT '1'",
"delimiter_action" => "TINYINT(1) NOT NULL DEFAULT '1'",
- "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'",
+ "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '0'",
"eas_reset" => "TINYINT(1) NOT NULL DEFAULT '1'",
"sogo_profile_reset" => "TINYINT(1) NOT NULL DEFAULT '0'",
"pushover" => "TINYINT(1) NOT NULL DEFAULT '1'",
@@ -1227,8 +1227,16 @@ function init_db_schema() {
$pdo->query($create);
}
- // Mitigate imapsync pipemess issue
- $pdo->query("UPDATE `imapsync` SET `custom_params` = '' WHERE `custom_params` LIKE '%pipemess%';");
+ // Mitigate imapsync argument injection issue
+ $pdo->query("UPDATE `imapsync` SET `custom_params` = ''
+ WHERE `custom_params` LIKE '%pipemess%'
+ OR custom_params LIKE '%skipmess%'
+ OR custom_params LIKE '%delete2foldersonly%'
+ OR custom_params LIKE '%delete2foldersbutnot%'
+ OR custom_params LIKE '%regexflag%'
+ OR custom_params LIKE '%pipemess%'
+ OR custom_params LIKE '%regextrans2%'
+ OR custom_params LIKE '%maxlinelengthcmd%';");
// Migrate webauthn tfa
$stmt = $pdo->query("ALTER TABLE `tfa` MODIFY COLUMN `authmech` ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')");
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index 6e08be13..02366c75 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -232,131 +232,127 @@ $RSPAMD_MAPS = array(
$IMAPSYNC_OPTIONS = array(
'whitelist' => array(
- 'log',
- 'showpasswords',
- 'nossl1',
- 'nossl2',
- 'ssl2',
- 'notls1',
- 'notls2',
- 'tls2',
- 'debugssl',
- 'sslargs1',
- 'sslargs2',
- 'authmech1',
- 'authmech2',
- 'authuser1',
- 'authuser2',
- 'proxyauth1',
- 'proxyauth2',
- 'authmd51',
- 'authmd52',
- 'domain1',
- 'domain2',
- 'oauthaccesstoken1',
- 'oauthaccesstoken2',
- 'oauthdirect1',
- 'oauthdirect2',
- 'folder',
- 'folder',
- 'folderrec',
- 'folderrec',
- 'folderfirst',
- 'folderfirst',
- 'folderlast',
- 'folderlast',
- 'nomixfolders',
- 'skipemptyfolders',
- 'include',
- 'include',
- 'subfolder1',
- 'subscribed',
- 'subscribe',
- 'prefix1',
- 'prefix2',
- 'sep1',
- 'sep2',
- 'nofoldersizesatend',
- 'justfoldersizes',
- 'pidfile',
- 'pidfilelocking',
- 'nolog',
- 'logfile',
- 'logdir',
- 'debugcrossduplicates',
- 'disarmreadreceipts',
- 'truncmess',
- 'synclabels',
- 'resynclabels',
- 'resyncflags',
- 'noresyncflags',
- 'filterbuggyflags',
- 'expunge1',
- 'noexpunge1',
- 'delete1emptyfolders',
- 'delete2folders',
- 'noexpunge2',
- 'nouidexpunge2',
- 'syncinternaldates',
- 'idatefromheader',
- 'maxsize',
- 'minsize',
- 'minage',
- 'search',
- 'search1',
- 'search2',
- 'noabletosearch',
- 'noabletosearch1',
- 'noabletosearch2',
- 'maxlinelength',
- 'useheader',
- 'useheader',
- 'syncduplicates',
- 'usecache',
- 'nousecache',
- 'useuid',
- 'syncacls',
- 'nosyncacls',
- 'debug',
- 'debugfolders',
- 'debugcontent',
- 'debugflags',
- 'debugimap1',
- 'debugimap2',
- 'debugimap',
- 'debugmemory',
- 'errorsmax',
- 'tests',
- 'testslive',
- 'testslive6',
- 'gmail1',
- 'gmail2',
- 'office1',
- 'office2',
- 'exchange1',
- 'exchange2',
- 'domino1',
- 'domino2',
- 'keepalive1',
- 'keepalive2',
- 'maxmessagespersecond',
- 'maxbytesafter',
- 'maxsleep',
- 'abort',
- 'exitwhenover',
- 'noid',
- 'justconnect',
- 'justlogin',
- 'justfolders'
+ 'authmech1',
+ 'authmech2',
+ 'authuser1',
+ 'authuser2',
+ 'debugcontent',
+ 'disarmreadreceipts',
+ 'logdir',
+ 'debugcrossduplicates',
+ 'maxsize',
+ 'minsize',
+ 'minage',
+ 'search',
+ 'noabletosearch',
+ 'pidfile',
+ 'pidfilelocking',
+ 'search1',
+ 'search2',
+ 'sslargs1',
+ 'sslargs2',
+ 'syncduplicates',
+ 'usecache',
+ 'synclabels',
+ 'truncmess',
+ 'domino2',
+ 'expunge1',
+ 'filterbuggyflags',
+ 'justconnect',
+ 'justfolders',
+ 'maxlinelength',
+ 'useheader',
+ 'noabletosearch1',
+ 'nolog',
+ 'prefix1',
+ 'prefix2',
+ 'sep1',
+ 'sep2',
+ 'nofoldersizesatend',
+ 'justfoldersizes',
+ 'proxyauth1',
+ 'skipemptyfolders',
+ 'include',
+ 'subfolder1',
+ 'subscribed',
+ 'subscribe',
+ 'debug',
+ 'debugimap2',
+ 'domino1',
+ 'exchange1',
+ 'exchange2',
+ 'justlogin',
+ 'keepalive1',
+ 'keepalive2',
+ 'noabletosearch2',
+ 'noexpunge2',
+ 'noresyncflags',
+ 'nossl1',
+ 'nouidexpunge2',
+ 'syncinternaldates',
+ 'idatefromheader',
+ 'useuid',
+ 'debugflags',
+ 'debugimap',
+ 'delete1emptyfolders',
+ 'delete2folders',
+ 'gmail2',
+ 'office1',
+ 'testslive6',
+ 'debugimap1',
+ 'errorsmax',
+ 'tests',
+ 'gmail1',
+ 'maxmessagespersecond',
+ 'maxbytesafter',
+ 'maxsleep',
+ 'abort',
+ 'resyncflags',
+ 'resynclabels',
+ 'syncacls',
+ 'nosyncacls',
+ 'nousecache',
+ 'office2',
+ 'testslive',
+ 'debugmemory',
+ 'exitwhenover',
+ 'noid',
+ 'noexpunge1',
+ 'authmd51',
+ 'logfile',
+ 'proxyauth2',
+ 'domain1',
+ 'domain2',
+ 'oauthaccesstoken1',
+ 'oauthaccesstoken2',
+ 'oauthdirect1',
+ 'oauthdirect2',
+ 'folder',
+ 'folderrec',
+ 'folderfirst',
+ 'folderlast',
+ 'nomixfolders',
+ 'authmd52',
+ 'debugfolders',
+ 'nossl2',
+ 'ssl2',
+ 'tls2',
+ 'notls2',
+ 'debugssl',
+ 'notls1',
+ 'inet4',
+ 'inet6',
+ 'log',
+ 'showpasswords'
),
'blacklist' => array(
- 'skipmess',
- 'delete2foldersonly',
- 'delete2foldersbutnot',
- 'regexflag',
- 'regexmess',
- 'pipemess',
- 'regextrans2',
- 'maxlinelengthcmd'
+ 'skipmess',
+ 'delete2foldersonly',
+ 'delete2foldersbutnot',
+ 'regexflag',
+ 'regexmess',
+ 'pipemess',
+ 'regextrans2',
+ 'maxlinelengthcmd'
)
);