From 71db83efce069c8f241bdfd4ecac56babc9b2610 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 13 Jun 2022 12:46:39 +0200 Subject: [PATCH 1/2] hotfix imapsync --- data/web/inc/functions.mailbox.inc.php | 61 +++++++++++- data/web/inc/vars.inc.php | 132 +++++++++++++++++++++++++ 2 files changed, 188 insertions(+), 5 deletions(-) diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index 7f8ff3ac..d6a07eab 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -336,9 +336,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $mins_interval = $_data['mins_interval']; $enc1 = $_data['enc1']; $custom_params = (empty(trim($_data['custom_params']))) ? '' : trim($_data['custom_params']); - // Workaround, fixme - if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) { - $custom_params = ''; + + // validate custom params + foreach (explode(' -', $custom_params) as $param){ + if (str_contains($param, ' ')) { + // bad char + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), + 'msg' => 'bad character SPACE' + ); + return false; + } + + // extract option + if (str_contains($param, '=')) $param = explode('=', $param)[0]; + // remove first char if first char is - + if ($param[0] == '-') $param = ltrim($param, $param[0]); + + // check if param is whitelisted + if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){ + // bad option + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), + 'msg' => 'bad option '. $param + ); + return false; + } } if (empty($subfolder2)) { $subfolder2 = ""; @@ -1764,8 +1789,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); continue; } - if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) { - $custom_params = ''; + + // validate custom params + foreach (explode(' -', $custom_params) as $param){ + if (str_contains($param, ' ')) { + // bad char + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), + 'msg' => 'bad character SPACE' + ); + return false; + } + + // extract option + if (str_contains($param, '=')) $param = explode('=', $param)[0]; + // remove first char if first char is - + if ($param[0] == '-') $param = ltrim($param, $param[0]); + + // check if param is whitelisted + if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){ + // bad option + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), + 'msg' => 'bad option '. $param + ); + return false; + } } if (empty($subfolder2)) { $subfolder2 = ""; diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php index c8e79bc4..6e08be13 100644 --- a/data/web/inc/vars.inc.php +++ b/data/web/inc/vars.inc.php @@ -228,3 +228,135 @@ $RSPAMD_MAPS = array( 'Monitoring Hosts' => 'monitoring_nolog.map' ) ); + + +$IMAPSYNC_OPTIONS = array( + 'whitelist' => array( + 'log', + 'showpasswords', + 'nossl1', + 'nossl2', + 'ssl2', + 'notls1', + 'notls2', + 'tls2', + 'debugssl', + 'sslargs1', + 'sslargs2', + 'authmech1', + 'authmech2', + 'authuser1', + 'authuser2', + 'proxyauth1', + 'proxyauth2', + 'authmd51', + 'authmd52', + 'domain1', + 'domain2', + 'oauthaccesstoken1', + 'oauthaccesstoken2', + 'oauthdirect1', + 'oauthdirect2', + 'folder', + 'folder', + 'folderrec', + 'folderrec', + 'folderfirst', + 'folderfirst', + 'folderlast', + 'folderlast', + 'nomixfolders', + 'skipemptyfolders', + 'include', + 'include', + 'subfolder1', + 'subscribed', + 'subscribe', + 'prefix1', + 'prefix2', + 'sep1', + 'sep2', + 'nofoldersizesatend', + 'justfoldersizes', + 'pidfile', + 'pidfilelocking', + 'nolog', + 'logfile', + 'logdir', + 'debugcrossduplicates', + 'disarmreadreceipts', + 'truncmess', + 'synclabels', + 'resynclabels', + 'resyncflags', + 'noresyncflags', + 'filterbuggyflags', + 'expunge1', + 'noexpunge1', + 'delete1emptyfolders', + 'delete2folders', + 'noexpunge2', + 'nouidexpunge2', + 'syncinternaldates', + 'idatefromheader', + 'maxsize', + 'minsize', + 'minage', + 'search', + 'search1', + 'search2', + 'noabletosearch', + 'noabletosearch1', + 'noabletosearch2', + 'maxlinelength', + 'useheader', + 'useheader', + 'syncduplicates', + 'usecache', + 'nousecache', + 'useuid', + 'syncacls', + 'nosyncacls', + 'debug', + 'debugfolders', + 'debugcontent', + 'debugflags', + 'debugimap1', + 'debugimap2', + 'debugimap', + 'debugmemory', + 'errorsmax', + 'tests', + 'testslive', + 'testslive6', + 'gmail1', + 'gmail2', + 'office1', + 'office2', + 'exchange1', + 'exchange2', + 'domino1', + 'domino2', + 'keepalive1', + 'keepalive2', + 'maxmessagespersecond', + 'maxbytesafter', + 'maxsleep', + 'abort', + 'exitwhenover', + 'noid', + 'justconnect', + 'justlogin', + 'justfolders' + ), + 'blacklist' => array( + 'skipmess', + 'delete2foldersonly', + 'delete2foldersbutnot', + 'regexflag', + 'regexmess', + 'pipemess', + 'regextrans2', + 'maxlinelengthcmd' + ) +); From d373164e13a14e058f82c9f1918a5612f375a9f9 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 20 Jun 2022 21:18:57 +0200 Subject: [PATCH 2/2] hotfix imapsync --- data/web/inc/init_db.inc.php | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index 88be5bca..1e53d4b8 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -3,7 +3,7 @@ function init_db_schema() { try { global $pdo; - $db_version = "20052022_0938"; + $db_version = "18062022_1153"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); @@ -440,7 +440,7 @@ function init_db_schema() { "spam_score" => "TINYINT(1) NOT NULL DEFAULT '1'", "spam_policy" => "TINYINT(1) NOT NULL DEFAULT '1'", "delimiter_action" => "TINYINT(1) NOT NULL DEFAULT '1'", - "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'", + "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '0'", "eas_reset" => "TINYINT(1) NOT NULL DEFAULT '1'", "sogo_profile_reset" => "TINYINT(1) NOT NULL DEFAULT '0'", "pushover" => "TINYINT(1) NOT NULL DEFAULT '1'", @@ -1228,8 +1228,17 @@ function init_db_schema() { } // Mitigate imapsync pipemess issue - $pdo->query("UPDATE `imapsync` SET `custom_params` = '' WHERE `custom_params` LIKE '%pipemess%' OR `custom_params` LIKE '%pipemes%';"); - + $pdo->query("UPDATE `imapsync` SET `custom_params` = '' + WHERE `custom_params` LIKE '%pipemess%' + OR custom_params LIKE '%skipmess%' + OR custom_params LIKE '%delete2foldersonly%' + OR custom_params LIKE '%delete2foldersbutnot%' + OR custom_params LIKE '%regexflag%' + OR custom_params LIKE '%pipemess%' + OR custom_params LIKE '%regextrans2%' + OR custom_params LIKE '%maxlinelengthcmd%';"); + + // Migrate webauthn tfa $stmt = $pdo->query("ALTER TABLE `tfa` MODIFY COLUMN `authmech` ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')");