From 7050d7c259a7e712111e0fc2a5b21b880ee1eada Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 5 Jun 2021 08:40:55 +0200 Subject: [PATCH] [Web] Fix BCC validation for aliases --- data/conf/rspamd/dynmaps/sasl_logs.php | 2 ++ data/web/inc/functions.address_rewriting.inc.php | 15 +++++++++++---- data/web/inc/functions.inc.php | 11 ++++++----- 3 files changed, 19 insertions(+), 9 deletions(-) create mode 100644 data/conf/rspamd/dynmaps/sasl_logs.php diff --git a/data/conf/rspamd/dynmaps/sasl_logs.php b/data/conf/rspamd/dynmaps/sasl_logs.php new file mode 100644 index 00000000..2d4cbe65 --- /dev/null +++ b/data/conf/rspamd/dynmaps/sasl_logs.php @@ -0,0 +1,2 @@ + 'danger', 'log' => array(__FUNCTION__, $_action, $_data, $_attr), @@ -56,10 +57,16 @@ function bcc($_action, $_data = null, $attr = null) { ); return false; } - $domain = mailbox('get', 'mailbox_details', $local_dest)['domain']; - if (empty($domain)) { - return false; + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $local_dest) && + !hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $local_dest)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data, $_attr), + 'msg' => 'access_denied' + ); + return false; } + $domain = idn_to_ascii(substr(strstr($local_dest, '@'), 1), 0, INTL_IDNA_VARIANT_UTS46); $local_dest_sane = $local_dest; } else { diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 649aa4e7..c6a7e6c8 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -548,16 +548,17 @@ function hasMailboxObjectAccess($username, $role, $object) { } function hasAliasObjectAccess($username, $role, $object) { global $pdo; + if (empty($username) || empty($role) || empty($object)) { + return false; + } if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { return false; } if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') { return false; } - if ($username == $object) { - return true; - } - $stmt = $pdo->prepare("SELECT `domain` FROM `alias` WHERE `address` = :object"); + // Do not verify mailboxes + $stmt = $pdo->prepare("SELECT `domain` FROM `alias` WHERE `address` = :object AND `address` != `goto`"); $stmt->execute(array(':object' => $object)); $row = $stmt->fetch(PDO::FETCH_ASSOC); if (isset($row['domain']) && hasDomainAccess($username, $role, $row['domain'])) { @@ -1031,7 +1032,7 @@ function user_get_alias_details($username) { if (empty($row['ad_alias'])) { continue; } - $data['direct_aliases'][$row['ad_alias']]['public_comment'] = '' . $row['alias_domain'] . ''; + $data['direct_aliases'][$row['ad_alias']]['public_comment'] = $lang['add']['alias_domain']; $data['alias_domains'][] = $row['alias_domain']; } $stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(`send_as` SEPARATOR ', '), '') AS `send_as` FROM `sender_acl` WHERE `logged_in_as` = :username AND `send_as` NOT LIKE '@%';");