|  | @@ -336,9 +336,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 | 
	
		
			
				|  |  |            $mins_interval        = $_data['mins_interval'];
 | 
	
		
			
				|  |  |            $enc1                 = $_data['enc1'];
 | 
	
		
			
				|  |  |            $custom_params        = (empty(trim($_data['custom_params']))) ? '' : trim($_data['custom_params']);
 | 
	
		
			
				|  |  | -          // Workaround, fixme
 | 
	
		
			
				|  |  | -          if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) {
 | 
	
		
			
				|  |  | -            $custom_params = '';
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +          // validate custom params
 | 
	
		
			
				|  |  | +          foreach (explode(' -', $custom_params) as $param){
 | 
	
		
			
				|  |  | +            if (str_contains($param, ' ')) {
 | 
	
		
			
				|  |  | +              // bad char
 | 
	
		
			
				|  |  | +              $_SESSION['return'][] = array(
 | 
	
		
			
				|  |  | +                'type' => 'danger',
 | 
	
		
			
				|  |  | +                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
 | 
	
		
			
				|  |  | +                'msg' => 'bad character SPACE'
 | 
	
		
			
				|  |  | +              );
 | 
	
		
			
				|  |  | +              return false;
 | 
	
		
			
				|  |  | +            }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +            // extract option
 | 
	
		
			
				|  |  | +            if (str_contains($param, '=')) $param = explode('=', $param)[0];
 | 
	
		
			
				|  |  | +            // remove first char if first char is -
 | 
	
		
			
				|  |  | +            if ($param[0] == '-') $param = ltrim($param, $param[0]);
 | 
	
		
			
				|  |  | +            
 | 
	
		
			
				|  |  | +            // check if param is whitelisted
 | 
	
		
			
				|  |  | +            if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
 | 
	
		
			
				|  |  | +              // bad option
 | 
	
		
			
				|  |  | +              $_SESSION['return'][] = array(
 | 
	
		
			
				|  |  | +                'type' => 'danger',
 | 
	
		
			
				|  |  | +                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
 | 
	
		
			
				|  |  | +                'msg' => 'bad option '. $param
 | 
	
		
			
				|  |  | +              );
 | 
	
		
			
				|  |  | +              return false;
 | 
	
		
			
				|  |  | +            }
 | 
	
		
			
				|  |  |            }
 | 
	
		
			
				|  |  |            if (empty($subfolder2)) {
 | 
	
		
			
				|  |  |              $subfolder2 = "";
 | 
	
	
		
			
				|  | @@ -1764,8 +1789,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 | 
	
		
			
				|  |  |                );
 | 
	
		
			
				|  |  |                continue;
 | 
	
		
			
				|  |  |              }
 | 
	
		
			
				|  |  | -            if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) {
 | 
	
		
			
				|  |  | -              $custom_params = '';
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +            // validate custom params
 | 
	
		
			
				|  |  | +            foreach (explode(' -', $custom_params) as $param){
 | 
	
		
			
				|  |  | +              if (str_contains($param, ' ')) {
 | 
	
		
			
				|  |  | +                // bad char
 | 
	
		
			
				|  |  | +                $_SESSION['return'][] = array(
 | 
	
		
			
				|  |  | +                  'type' => 'danger',
 | 
	
		
			
				|  |  | +                  'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
 | 
	
		
			
				|  |  | +                  'msg' => 'bad character SPACE'
 | 
	
		
			
				|  |  | +                );
 | 
	
		
			
				|  |  | +                return false;
 | 
	
		
			
				|  |  | +              }
 | 
	
		
			
				|  |  | +  
 | 
	
		
			
				|  |  | +              // extract option
 | 
	
		
			
				|  |  | +              if (str_contains($param, '=')) $param = explode('=', $param)[0];
 | 
	
		
			
				|  |  | +              // remove first char if first char is -
 | 
	
		
			
				|  |  | +              if ($param[0] == '-') $param = ltrim($param, $param[0]);
 | 
	
		
			
				|  |  | +              
 | 
	
		
			
				|  |  | +              // check if param is whitelisted
 | 
	
		
			
				|  |  | +              if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
 | 
	
		
			
				|  |  | +                // bad option
 | 
	
		
			
				|  |  | +                $_SESSION['return'][] = array(
 | 
	
		
			
				|  |  | +                  'type' => 'danger',
 | 
	
		
			
				|  |  | +                  'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
 | 
	
		
			
				|  |  | +                  'msg' => 'bad option '. $param
 | 
	
		
			
				|  |  | +                );
 | 
	
		
			
				|  |  | +                return false;
 | 
	
		
			
				|  |  | +              }
 | 
	
		
			
				|  |  |              }
 | 
	
		
			
				|  |  |              if (empty($subfolder2)) {
 | 
	
		
			
				|  |  |                $subfolder2 = "";
 |