[Web] Add SMTP rcpt to qitems, filter invalid addresses

This commit is contained in:
andryyy 2020-06-06 14:13:46 +02:00
parent b93371ca0a
commit 22f0a14b87
No known key found for this signature in database
GPG Key ID: 8EC34FF2794E25EF
2 changed files with 11 additions and 3 deletions

View File

@ -23,8 +23,10 @@ function rrmdir($src) {
function addAddresses(&$list, $mail, $headerName) { function addAddresses(&$list, $mail, $headerName) {
$addresses = $mail->getAddresses($headerName); $addresses = $mail->getAddresses($headerName);
foreach ($addresses as $address) { foreach ($addresses as $address) {
if (filter_var($address['address'], FILTER_VALIDATE_EMAIL)) {
$list[] = array('address' => $address['address'], 'type' => $headerName); $list[] = array('address' => $address['address'], 'type' => $headerName);
} }
}
} }
if (!empty($_GET['hash']) && ctype_alnum($_GET['hash'])) { if (!empty($_GET['hash']) && ctype_alnum($_GET['hash'])) {
@ -51,6 +53,7 @@ if (!empty($_GET['hash']) && ctype_alnum($_GET['hash'])) {
addAddresses($recipientsList, $mail_parser, 'to'); addAddresses($recipientsList, $mail_parser, 'to');
addAddresses($recipientsList, $mail_parser, 'cc'); addAddresses($recipientsList, $mail_parser, 'cc');
addAddresses($recipientsList, $mail_parser, 'bcc'); addAddresses($recipientsList, $mail_parser, 'bcc');
$recipientsList[] = array('address' => $mailc['rcpt'], 'type' => 'SMTP');
$data['recipients'] = $recipientsList; $data['recipients'] = $recipientsList;
} }
// Get from // Get from
@ -72,6 +75,10 @@ elseif (!empty($_GET['id']) && ctype_alnum($_GET['id'])) {
} }
$tmpdir = '/tmp/' . $_GET['id'] . '/'; $tmpdir = '/tmp/' . $_GET['id'] . '/';
$mailc = quarantine('details', $_GET['id']); $mailc = quarantine('details', $_GET['id']);
if ($mailc === false) {
echo json_encode(array('error' => 'Access denied'));
exit;
}
if (strlen($mailc['msg']) > 10485760) { if (strlen($mailc['msg']) > 10485760) {
echo json_encode(array('error' => 'Message size exceeds 10 MiB.')); echo json_encode(array('error' => 'Message size exceeds 10 MiB.'));
exit; exit;
@ -101,6 +108,7 @@ elseif (!empty($_GET['id']) && ctype_alnum($_GET['id'])) {
addAddresses($recipientsList, $mail_parser, 'to'); addAddresses($recipientsList, $mail_parser, 'to');
addAddresses($recipientsList, $mail_parser, 'cc'); addAddresses($recipientsList, $mail_parser, 'cc');
addAddresses($recipientsList, $mail_parser, 'bcc'); addAddresses($recipientsList, $mail_parser, 'bcc');
$recipientsList[] = array('address' => $mailc['rcpt'], 'type' => 'SMTP');
$data['recipients'] = $recipientsList; $data['recipients'] = $recipientsList;
} }
// Get from // Get from

View File

@ -361,7 +361,7 @@ function quarantine($_action, $_data = null) {
$stmt = $pdo->prepare('SELECT `msg`, `qid`, `sender`, `rcpt` FROM `quarantine` WHERE `id` = :id'); $stmt = $pdo->prepare('SELECT `msg`, `qid`, `sender`, `rcpt` FROM `quarantine` WHERE `id` = :id');
$stmt->execute(array(':id' => $id)); $stmt->execute(array(':id' => $id));
$row = $stmt->fetch(PDO::FETCH_ASSOC); $row = $stmt->fetch(PDO::FETCH_ASSOC);
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row['rcpt'])) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row['rcpt']) && $_SESSION['mailcow_cc_role'] != 'admin') {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'msg' => 'access_denied' 'msg' => 'access_denied'
@ -812,7 +812,7 @@ function quarantine($_action, $_data = null) {
$stmt = $pdo->prepare('SELECT * FROM `quarantine` WHERE `id`= :id'); $stmt = $pdo->prepare('SELECT * FROM `quarantine` WHERE `id`= :id');
$stmt->execute(array(':id' => $_data)); $stmt->execute(array(':id' => $_data));
$row = $stmt->fetch(PDO::FETCH_ASSOC); $row = $stmt->fetch(PDO::FETCH_ASSOC);
if (hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row['rcpt'])) { if (hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row['rcpt']) || $_SESSION['mailcow_cc_role'] == 'admin') {
return $row; return $row;
} }
logger(array('return' => array( logger(array('return' => array(