From 99ab945ae21848b99dc32f3797babbf3f8c09606 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 20 May 2021 15:51:52 +0200
Subject: [PATCH] [Web] Important: Do not allow API actions with r/o session
 key, THANKS TO Samuel Oosterholt

---
 data/web/inc/footer.inc.php   | 7 +++++++
 data/web/inc/triggers.inc.php | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php
index 8738cc64..caa962fa 100644
--- a/data/web/inc/footer.inc.php
+++ b/data/web/inc/footer.inc.php
@@ -304,5 +304,12 @@ $(document).ready(function() {
 </body>
 </html>
 <?php
+if (isset($_SESSION['mailcow_cc_api'])) {
+  session_regenerate_id(true);
+  session_unset();
+  session_destroy();
+  session_write_close();
+  header("Location: /");
+}
 $stmt = null;
 $pdo = null;
diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index 8785759a..478bb4bf 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -93,7 +93,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 		fido2(array("action" => "unset_fido2_key", "post_data" => $_POST));
 	}
 }
-if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") {
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin" && !isset($_SESSION['mailcow_cc_api'])) {
   // TODO: Move file upload to API?
 	if (isset($_POST["submit_main_logo"])) {
     if ($_FILES['main_logo']['error'] == 0) {