From 00d4b32a1b0b2b6072e7b62eb52408044a2438d7 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 3 Apr 2024 10:06:43 +0200 Subject: [PATCH 1/4] [Web] deny api calls from sogo --- data/web/json_api.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/data/web/json_api.php b/data/web/json_api.php index 28f8cac5..0240626a 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -47,6 +47,14 @@ function api_log($_data) { } } +// deny requests from /SOGo locations +if (isset($_SERVER['HTTP_REFERER'])) { + if (strpos(strtolower($_SERVER['HTTP_REFERER']), '/sogo') !== false) { + header('HTTP/1.1 403 Forbidden'); + exit; + } +} + if (isset($_GET['query'])) { $query = explode('/', $_GET['query']); From 2db8f482dbadcacf98bac77733daaf14c61b7e02 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 3 Apr 2024 10:07:36 +0200 Subject: [PATCH 2/4] [Web] escape html of alert messages --- data/web/inc/footer.inc.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php index 61d81dff..cd689cd1 100644 --- a/data/web/inc/footer.inc.php +++ b/data/web/inc/footer.inc.php @@ -12,7 +12,8 @@ $alertbox_log_parser = alertbox_log_parser($_SESSION); $alerts = []; if (is_array($alertbox_log_parser)) { foreach ($alertbox_log_parser as $log) { - $message = strtr($log['msg'], ["\n" => '', "\r" => '', "\t" => '
']); + $message = htmlspecialchars($log['msg'], ENT_QUOTES); + $message = strtr($message, ["\n" => '', "\r" => '', "\t" => '
']); $alerts[trim($log['type'], '"')][] = trim($message, '"'); } $alert = array_filter(array_unique($alerts)); From 0d09c86c124e9a4f17f6813ce06cc4537ce81b46 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 3 Apr 2024 10:08:18 +0200 Subject: [PATCH 3/4] [Web] fix invalid rspamd map check --- data/web/inc/functions.rspamd.inc.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/data/web/inc/functions.rspamd.inc.php b/data/web/inc/functions.rspamd.inc.php index fd1c5bd6..ec86919c 100644 --- a/data/web/inc/functions.rspamd.inc.php +++ b/data/web/inc/functions.rspamd.inc.php @@ -143,6 +143,7 @@ function rspamd_maps($_action, $_data = null) { return false; } $maps = (array)$_data['map']; + $valid_maps = array(); foreach ($maps as $map) { foreach ($RSPAMD_MAPS as $rspamd_map_type) { if (!in_array($map, $rspamd_map_type)) { @@ -151,9 +152,12 @@ function rspamd_maps($_action, $_data = null) { 'log' => array(__FUNCTION__, $_action, '-'), 'msg' => array('global_map_invalid', $map) ); - continue; + } else { + array_push($valid_maps, $map); } } + } + foreach ($valid_maps as $map) { try { if (file_exists('/rspamd_custom_maps/' . $map)) { $map_content = trim($_data['rspamd_map_data']); From 3aee2b6cf567222b6ea962f1a4d17160a283bb82 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 3 Apr 2024 11:43:48 +0200 Subject: [PATCH 4/4] [Web] use SEC_FETCH_DEST header instead of Referer to block api requests --- data/web/json_api.php | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 0240626a..9e165b68 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -47,12 +47,10 @@ function api_log($_data) { } } -// deny requests from /SOGo locations -if (isset($_SERVER['HTTP_REFERER'])) { - if (strpos(strtolower($_SERVER['HTTP_REFERER']), '/sogo') !== false) { - header('HTTP/1.1 403 Forbidden'); - exit; - } +// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header. +if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') { + header('HTTP/1.1 403 Forbidden'); + exit; } if (isset($_GET['query'])) {