From 1db85df0db7c1dc6a5377cf871c6134496b6da03 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 25 Apr 2020 09:44:04 +0200 Subject: [PATCH] [Web] Fix time limited alias creation via API, thanks to @ntimo --- data/web/inc/functions.mailbox.inc.php | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index 746779ee..7f7cf66b 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -43,9 +43,15 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); return false; } - $stmt = $pdo->prepare("SELECT `domain` FROM `mailbox` WHERE `username` = :username"); - $stmt->execute(array(':username' => $_SESSION['mailcow_cc_username'])); - $domain = $stmt->fetch(PDO::FETCH_ASSOC)['domain']; + $domain = mailbox('get', 'mailbox_details', $username) + if (!is_valid_domain_name($domain)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), + 'msg' => 'domain_invalid' + ); + return false; + } $validity = strtotime("+".$_data["validity"]." hour"); $letters = 'abcefghijklmnopqrstuvwxyz1234567890'; $random_name = substr(str_shuffle($letters), 0, 24); @@ -59,7 +65,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $_SESSION['return'][] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), - 'msg' => array('mailbox_modified', htmlspecialchars($_SESSION['mailcow_cc_username'])) + 'msg' => array('mailbox_modified', $username) ); break; case 'global_filter':