From 618be3bf14600e46821e38ae7231bdf8cbae5ce9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sat, 10 Feb 2018 22:42:46 +0100 Subject: [PATCH] [Web] Even more fixes for #1017 --- data/web/inc/footer.inc.php | 4 ++-- data/web/inc/functions.inc.php | 16 ++++++---------- data/web/inc/functions.policy.inc.php | 2 +- data/web/inc/header.inc.php | 6 +++--- data/web/inc/triggers.inc.php | 7 ++++--- data/web/js/mailbox.js | 11 ++++++----- data/web/js/user.js | 18 ++++++++++-------- data/web/user.php | 20 ++++++++++---------- 8 files changed, 42 insertions(+), 42 deletions(-) diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php index 3c92c28e..d0932514 100644 --- a/data/web/inc/footer.inc.php +++ b/data/web/inc/footer.inc.php @@ -61,7 +61,7 @@ $(document).ready(function() { type: "GET", cache: false, dataType: 'script', - url: "/api/v1/get/u2f-authentication/", + url: "/api/v1/get/u2f-authentication/", complete: function(data){ $('#u2f_status_auth').html(''); data; @@ -100,7 +100,7 @@ $(document).ready(function() { type: "GET", cache: false, dataType: 'script', - url: "/api/v1/get/u2f-registration/", + url: "/api/v1/get/u2f-registration/", complete: function(data){ data; setTimeout(function() { diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index f4e8d039..92f4da2b 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -39,7 +39,7 @@ function hasDomainAccess($username, $role, $domain) { } function hasMailboxObjectAccess($username, $role, $object) { global $pdo; - if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { + if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { return false; } if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') { @@ -471,22 +471,18 @@ function user_get_alias_details($username) { )); $run = $stmt->fetchAll(PDO::FETCH_ASSOC); while ($row = array_shift($run)) { - $data['direct_aliases'] = $row['direct_aliases']; + $data['direct_aliases'][] = $row['direct_aliases']; } - $stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(local_part, '@', alias_domain SEPARATOR ', '), '✘') AS `ad_alias` FROM `mailbox` + $stmt = $pdo->prepare("SELECT GROUP_CONCAT(local_part, '@', alias_domain SEPARATOR ', ') AS `ad_alias` FROM `mailbox` LEFT OUTER JOIN `alias_domain` on `target_domain` = `domain` WHERE `username` = :username ;"); $stmt->execute(array(':username' => $username)); $run = $stmt->fetchAll(PDO::FETCH_ASSOC); while ($row = array_shift($run)) { - if (empty($data['direct_aliases'])) { - $data['direct_aliases'] = $row['ad_alias']; - } - else { - // Probably faster than imploding - $data['direct_aliases'] .= ', ' . $row['ad_alias']; - } + $data['direct_aliases'][] = $row['ad_alias']; } + $data['direct_aliases'] = implode(', ', array_filter($data['direct_aliases'])); + $data['direct_aliases'] = empty($data['direct_aliases']) ? '✘' : $data['direct_aliases']; $stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(`send_as` SEPARATOR ', '), '✘') AS `send_as` FROM `sender_acl` WHERE `logged_in_as` = :username AND `send_as` NOT LIKE '@%';"); $stmt->execute(array(':username' => $username)); $run = $stmt->fetchAll(PDO::FETCH_ASSOC); diff --git a/data/web/inc/functions.policy.inc.php b/data/web/inc/functions.policy.inc.php index 9609d5e1..63f178c1 100644 --- a/data/web/inc/functions.policy.inc.php +++ b/data/web/inc/functions.policy.inc.php @@ -94,7 +94,7 @@ function policy($_action, $_scope, $_data = null) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)) { $_SESSION['return'] = array( 'type' => 'danger', - 'msg' => sprintf($lang['danger']['access_denied']) + 'msg' => $object ); return false; } diff --git a/data/web/inc/header.inc.php b/data/web/inc/header.inc.php index 253692fc..0c516d39 100644 --- a/data/web/inc/header.inc.php +++ b/data/web/inc/header.inc.php @@ -1,4 +1,4 @@ - + @@ -129,11 +129,11 @@ } if (!isset($_SESSION['dual-login']) && isset($_SESSION['mailcow_cc_username'])): ?> -
    • +
    • -
  • ()
    • +
  • ()
    • diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php index bce8a20f..daf1a9a7 100644 --- a/data/web/inc/triggers.inc.php +++ b/data/web/inc/triggers.inc.php @@ -43,11 +43,12 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) { if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") { if (isset($_GET["duallogin"])) { - if (filter_var($_GET["duallogin"], FILTER_VALIDATE_EMAIL)) { - if (!empty(mailbox('get', 'mailbox_details', $_GET["duallogin"]))) { + $duallogin = html_entity_decode(rawurldecode($_GET["duallogin"])); + if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) { + if (!empty(mailbox('get', 'mailbox_details', $duallogin))) { $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username']; $_SESSION["dual-login"]["role"] = $_SESSION['mailcow_cc_role']; - $_SESSION['mailcow_cc_username'] = $_GET["duallogin"]; + $_SESSION['mailcow_cc_username'] = $duallogin; $_SESSION['mailcow_cc_role'] = "user"; header("Location: /user.php"); } diff --git a/data/web/js/mailbox.js b/data/web/js/mailbox.js index 93418d92..ea7ce5f6 100644 --- a/data/web/js/mailbox.js +++ b/data/web/js/mailbox.js @@ -250,7 +250,6 @@ jQuery(function($){ $.each(data, function (i, item) { item.quota = item.quota_used + "/" + item.quota; item.max_quota_for_mbox = humanFileSize(item.max_quota_for_mbox); - item.username = escapeHtml(item.username); item.chkbox = ''; if (role == "admin") { item.action = '
    ' + @@ -268,7 +267,7 @@ jQuery(function($){ item.in_use = '
    ' + '
    ' + item.percent_in_use + '%' + '
    '; - + item.username = escapeHtml(item.username); }); } }), @@ -309,12 +308,12 @@ jQuery(function($){ }, success: function (data) { $.each(data, function (i, item) { - item.name = escapeHtml(item.name); item.action = '
    ' + ' ' + lang.edit + '' + ' ' + lang.remove + '' + '
    '; item.chkbox = ''; + item.name = escapeHtml(item.name); }); } }), @@ -461,10 +460,12 @@ jQuery(function($){ '
    '; item.chkbox = ''; item.goto = escapeHtml(item.goto); - item.address = escapeHtml(item.address); if (item.is_catch_all == 1) { item.address = '
    Catch-All
    ' + escapeHtml(item.address); } + else { + item.address = escapeHtml(item.address); + } if (item.goto == "null@localhost") { item.goto = '⤷ '; } @@ -568,7 +569,7 @@ jQuery(function($){ } else { item.exclude = '' + item.exclude + ''; } - item.server_w_port = item.user1 + '@' + item.host1 + ':' + item.port1; + item.server_w_port = escapeHtml(item.user1) + '@' + item.host1 + ':' + item.port1; item.action = '
    ' + ' ' + lang.edit + '' + ' ' + lang.remove + '' + diff --git a/data/web/js/user.js b/data/web/js/user.js index 3984e855..29825769 100644 --- a/data/web/js/user.js +++ b/data/web/js/user.js @@ -62,9 +62,10 @@ jQuery(function($){ $.each(data, function (i, item) { if (acl_data.spam_alias === 1) { item.action = '
    ' + - ' ' + lang.remove + '' + + ' ' + lang.remove + '' + '
    '; - item.chkbox = ''; + item.chkbox = ''; + item.address = escapeHtml(item.address); } else { item.chkbox = ''; @@ -102,24 +103,25 @@ jQuery(function($){ "empty": lang.empty, "rows": $.ajax({ dataType: 'json', - url: '/api/v1/get/syncjobs/' + mailcow_cc_username + '/no_log', + url: '/api/v1/get/syncjobs/' + encodeURIComponent(mailcow_cc_username) + '/no_log', jsonp: false, error: function () { console.log('Cannot draw sync job table'); }, success: function (data) { $.each(data, function (i, item) { - item.log = 'Open logs' + item.user1 = escapeHtml(item.user1); + item.log = 'Open logs' if (!item.exclude > 0) { item.exclude = '-'; } else { - item.exclude = '' + item.exclude + ''; + item.exclude = '' + escapeHtml(item.exclude) + ''; } - item.server_w_port = item.user1 + '@' + item.host1 + ':' + item.port1; + item.server_w_port = escapeHtml(item.user1 + '@' + item.host1 + ':' + item.port1); if (acl_data.syncjobs === 1) { item.action = '
    ' + ' ' + lang.edit + '' + - ' ' + lang.remove + '' + + ' ' + lang.remove + '' + '
    '; item.chkbox = ''; } @@ -238,7 +240,7 @@ jQuery(function($){ $('#user_sieve_filter').text(lang.loading); $.ajax({ dataType: 'json', - url: '/api/v1/get/active-user-sieve/' + mailcow_cc_username, + url: '/api/v1/get/active-user-sieve/' + encodeURIComponent(mailcow_cc_username), jsonp: false, error: function () { console.log('Cannot get active sieve script'); diff --git a/data/web/user.php b/data/web/user.php index 0fb0875f..6b807945 100644 --- a/data/web/user.php +++ b/data/web/user.php @@ -164,21 +164,21 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == ' @@ -201,14 +201,14 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == ' @@ -225,7 +225,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
    :
    - +

    @@ -315,7 +315,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
    @@ -346,7 +346,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
    - +
    @@ -372,10 +372,10 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
    - + - +