|
|
@@ -336,9 +336,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|
|
$mins_interval = $_data['mins_interval'];
|
|
|
$enc1 = $_data['enc1'];
|
|
|
$custom_params = (empty(trim($_data['custom_params']))) ? '' : trim($_data['custom_params']);
|
|
|
- // Workaround, fixme
|
|
|
- if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) {
|
|
|
- $custom_params = '';
|
|
|
+
|
|
|
+ // validate custom params
|
|
|
+ foreach (explode(' -', $custom_params) as $param){
|
|
|
+ if (str_contains($param, ' ')) {
|
|
|
+ // bad char
|
|
|
+ $_SESSION['return'][] = array(
|
|
|
+ 'type' => 'danger',
|
|
|
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
|
|
+ 'msg' => 'bad character SPACE'
|
|
|
+ );
|
|
|
+ return false;
|
|
|
+ }
|
|
|
+
|
|
|
+ // extract option
|
|
|
+ if (str_contains($param, '=')) $param = explode('=', $param)[0];
|
|
|
+ // remove first char if first char is -
|
|
|
+ if ($param[0] == '-') $param = ltrim($param, $param[0]);
|
|
|
+
|
|
|
+ // check if param is whitelisted
|
|
|
+ if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
|
|
|
+ // bad option
|
|
|
+ $_SESSION['return'][] = array(
|
|
|
+ 'type' => 'danger',
|
|
|
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
|
|
+ 'msg' => 'bad option '. $param
|
|
|
+ );
|
|
|
+ return false;
|
|
|
+ }
|
|
|
}
|
|
|
if (empty($subfolder2)) {
|
|
|
$subfolder2 = "";
|
|
|
@@ -1764,8 +1789,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|
|
);
|
|
|
continue;
|
|
|
}
|
|
|
- if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) {
|
|
|
- $custom_params = '';
|
|
|
+
|
|
|
+ // validate custom params
|
|
|
+ foreach (explode(' -', $custom_params) as $param){
|
|
|
+ if (str_contains($param, ' ')) {
|
|
|
+ // bad char
|
|
|
+ $_SESSION['return'][] = array(
|
|
|
+ 'type' => 'danger',
|
|
|
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
|
|
+ 'msg' => 'bad character SPACE'
|
|
|
+ );
|
|
|
+ return false;
|
|
|
+ }
|
|
|
+
|
|
|
+ // extract option
|
|
|
+ if (str_contains($param, '=')) $param = explode('=', $param)[0];
|
|
|
+ // remove first char if first char is -
|
|
|
+ if ($param[0] == '-') $param = ltrim($param, $param[0]);
|
|
|
+
|
|
|
+ // check if param is whitelisted
|
|
|
+ if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
|
|
|
+ // bad option
|
|
|
+ $_SESSION['return'][] = array(
|
|
|
+ 'type' => 'danger',
|
|
|
+ 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
|
|
+ 'msg' => 'bad option '. $param
|
|
|
+ );
|
|
|
+ return false;
|
|
|
+ }
|
|
|
}
|
|
|
if (empty($subfolder2)) {
|
|
|
$subfolder2 = "";
|
FreddleSpl0it