Merge branch 'master' of https://github.com/mailcow/mailcow-dockerized

2019-10-09 22:23:05 +02:00 · 2019-10-09 22:23:05 +02:00 · 83231ba8b5
parent 227093ce9b 7373d91724
commit 83231ba8b5
5 changed files with 106 additions and 2 deletions
--- a/data/web/inc/ajax/qitem_details.php
+++ b/data/web/inc/ajax/qitem_details.php
@ -91,6 +91,19 @@ if (!empty($_GET['id']) && ctype_alnum($_GET['id'])) {
        );
      }
    }
+    if (isset($_GET['eml'])) {
+      $dl_filename = str_replace('/', '_', $data['subject']);
+      header('Pragma: public');
+      header('Expires: 0');
+      header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
+      header('Cache-Control: private', false);
+      header('Content-Type: message/rfc822');
+      header('Content-Disposition: attachment; filename="'. $dl_filename . '.eml";');
+      header('Content-Transfer-Encoding: binary');
+      header('Content-Length: ' . strlen($mailc['msg']));
+      echo $mailc['msg'];
+      exit;
+    }
    if (isset($_GET['att'])) {
      if ($_SESSION['acl']['quarantine_attachments'] == 0) {
        exit(json_encode('Forbidden'));
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@ -69,6 +69,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u

      // check for valid json
      if ($action != 'get' && $requestDecoded === null) {
+        http_response_code(400);
        echo json_encode(array(
            'type' => 'error',
            'msg' => 'Request body doesn\'t contain valid json!'
@ -126,6 +127,15 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
          $attr = (array)json_decode($_POST['attr'], true);
          unset($attr['csrf_token']);
        }
+        // only allow POST requests to POST API endpoints
+        if ($_SERVER['REQUEST_METHOD'] != 'POST') {
+          http_response_code(405);
+          echo json_encode(array(
+              'type' => 'error',
+              'msg' => 'only POST method is allowed'
+          ));
+          exit();
+        }
        switch ($category) {
          case "time_limited_alias":
            process_add_return(mailbox('add', 'time_limited_alias', $attr));
@ -196,12 +206,29 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
          case "tls-policy-map":
            process_add_return(tls_policy_maps('add', $attr));
          break;
+          // return no route found if no case is matched
+          default:
+            http_response_code(404);
+            echo json_encode(array(
+              'type' => 'error',
+              'msg' => 'route not found'
+            ));
+            exit();
        }
      break;
      case "get":
        function process_get_return($data) {
          echo (!isset($data) || empty($data)) ? '{}' : json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT);
        }
+        // only allow GET requests to GET API endpoints
+        if ($_SERVER['REQUEST_METHOD'] != 'GET') {
+          http_response_code(405);
+          echo json_encode(array(
+              'type' => 'error',
+              'msg' => 'only GET method is allowed'
+          ));
+          exit();
+        }
        switch ($category) {
          case "rspamd":
            switch ($object) {
@ -561,6 +588,14 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
                }
                echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}';
              break;
+              // return no route found if no case is matched
+              default:
+                http_response_code(404);
+                echo json_encode(array(
+                  'type' => 'error',
+                  'msg' => 'route not found'
+                ));
+                exit();
            }
          break;
          case "mailbox":
@ -1026,9 +1061,14 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
                  break;
            }
          break;
+          // return no route found if no case is matched
          default:
-            echo '{}';
-          break;
+            http_response_code(404);
+            echo json_encode(array(
+              'type' => 'error',
+              'msg' => 'route not found'
+            ));
+            exit();
        }
      break;
      case "delete":
@ -1055,6 +1095,15 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
        else {
          $items = (array)json_decode($_POST['items'], true);
        }
+        // only allow POST requests to POST API endpoints
+        if ($_SERVER['REQUEST_METHOD'] != 'POST') {
+          http_response_code(405);
+          echo json_encode(array(
+              'type' => 'error',
+              'msg' => 'only POST method is allowed'
+          ));
+          exit();
+        }
        switch ($category) {
          case "alias":
            process_delete_return(mailbox('delete', 'alias', array('id' => $items)));
@ -1135,6 +1184,14 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
          case "rlhash":
            echo ratelimit('delete', null, implode($items));
          break;
+          // return no route found if no case is matched
+          default:
+            http_response_code(404);
+            echo json_encode(array(
+              'type' => 'error',
+              'msg' => 'route not found'
+            ));
+            exit();
        }
      break;
      case "edit":
@ -1163,6 +1220,15 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
          unset($attr['csrf_token']);
          $items = isset($_POST['items']) ? (array)json_decode($_POST['items'], true) : null;
        }
+        // only allow POST requests to POST API endpoints
+        if ($_SERVER['REQUEST_METHOD'] != 'POST') {
+          http_response_code(405);
+          echo json_encode(array(
+              'type' => 'error',
+              'msg' => 'only POST method is allowed'
+          ));
+          exit();
+        }
        switch ($category) {
          case "bcc":
            process_edit_return(bcc('edit', array_merge(array('id' => $items), $attr)));
@ -1271,8 +1337,29 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
              process_edit_return(edit_user_account($attr));
            }
          break;
+          // return no route found if no case is matched
+          default:
+            http_response_code(404);
+            echo json_encode(array(
+              'type' => 'error',
+              'msg' => 'route not found'
+            ));
+            exit();
        }
      break;
+      // return no route found if no case is matched
+      default:
+        http_response_code(404);
+        echo json_encode(array(
+          'type' => 'error',
+          'msg' => 'route not found'
+        ));
+        exit();
+    }
+  }
+  if ($_SESSION['mailcow_cc_api'] === true) {
+    if (isset($_SESSION['mailcow_cc_api']) && $_SESSION['mailcow_cc_api'] === true) {
+      unset($_SESSION['return']);
    }
  }
 }
--- a/data/web/lang/lang.de.php
+++ b/data/web/lang/lang.de.php
@ -777,6 +777,7 @@ $lang['quarantine']['quarantine'] = "Quarantäne";
 $lang['quarantine']['qinfo'] = 'Das Quarantänesystem speichert abgelehnte Nachrichten in der Datenbank. Dem Sender wird <em>nicht</em> signalisiert, dass seine E-Mail zugestellt wurde.
  <br>"' . $lang['quarantine']['learn_spam_delete'] . '" lernt Nachrichten nach bayesscher Statistik als Spam und erstellt Fuzzy Hashes ausgehend von der jeweiligen Nachricht, um ähnliche Inhalte zukünftig zu unterbinden.
  <br>Der Prozess des Lernens kann abhängig vom System zeitintensiv sein.';
+$lang['quarantine']['download_eml'] = "Herunterladen (.eml)";
 $lang['quarantine']['release'] = "Freigeben";
 $lang['quarantine']['empty'] = 'Keine Einträge';
 $lang['quarantine']['toggle_all'] = 'Alle auswählen';
--- a/data/web/lang/lang.en.php
+++ b/data/web/lang/lang.en.php
@ -794,6 +794,7 @@ $lang['quarantine']['learn_spam_delete'] = "Learn as spam and delete";
 $lang['quarantine']['qinfo'] = 'The quarantine system will save rejected mail to the database, while the sender will <em>not</em> be given the impression of a delivered mail.
  <br>"' . $lang['quarantine']['learn_spam_delete'] . '" will learn a message as spam via Bayesian theorem and also calculate fuzzy hashes to deny similar messages in the future.
  <br>Please be aware that learning multiple messages can be - depending on your system - time consuming.';
+$lang['quarantine']['download_eml'] = "Download (.eml)";
 $lang['quarantine']['release'] = "Release";
 $lang['quarantine']['empty'] = 'No results';
 $lang['quarantine']['toggle_all'] = 'Toggle all';
--- a/data/web/modals/quarantine.php
+++ b/data/web/modals/quarantine.php
@ -46,6 +46,8 @@ if (!isset($_SESSION['mailcow_cc_role'])) {
            <li role="separator" class="divider"></li>
            <li><a data-action="edit_selected" data-id="qitems_single" data-item="" data-api-url='edit/qitem' data-api-attr='{"action":"learnspam"}' href="#"><?=$lang['quarantine']['learn_spam_delete'];?></a></li>
            <li role="separator" class="divider"></li>
+            <li><a data-id="qitems_single" data-item="" onclick="window.open('/inc/ajax/qitem_details.php?id=' + $(this).data('item') + '&eml', '_blank')" href="#"><?=$lang['quarantine']['download_eml'];?></a></li>
+            <li role="separator" class="divider"></li>
            <li><a data-action="delete_selected" data-id="qitems_single" data-item="" data-api-url='delete/qitem' href="#"><?=$lang['quarantine']['remove'];?></a></li>
          </ul>
        </div>