readd imapsync fix

data/web/inc/functions.mailbox.inc.php

@@ -341,7 +341,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           foreach (explode(' -', $custom_params) as $param){
             if(empty($param)) continue;
 
-            if (str_contains($param, ' ')) {
+            if (str_contains(explode('=', $param)[0], ' ')) {
               // bad char
               $_SESSION['return'][] = array(
                 'type' => 'danger',
@@ -1796,7 +1796,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             foreach (explode(' -', $custom_params) as $param){
               if(empty($param)) continue;
 
-              if (str_contains($param, ' ')) {
+              if (str_contains(explode('=', $param)[0], ' ')) {
                 // bad char
                 $_SESSION['return'][] = array(
                   'type' => 'danger',

data/web/inc/init_db.inc.php

@@ -3,7 +3,7 @@ function init_db_schema() {
   try {
     global $pdo;
 
-    $db_version = "04072022_1642";
+    $db_version = "13072022_1700";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -440,7 +440,7 @@ function init_db_schema() {
           "spam_score" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "spam_policy" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "delimiter_action" => "TINYINT(1) NOT NULL DEFAULT '1'",
-          "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '0'",
           "eas_reset" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "sogo_profile_reset" => "TINYINT(1) NOT NULL DEFAULT '0'",
           "pushover" => "TINYINT(1) NOT NULL DEFAULT '1'",
@@ -1227,8 +1227,16 @@ function init_db_schema() {
       $pdo->query($create);
     }
     
-    // Mitigate imapsync pipemess issue
-    $pdo->query("UPDATE `imapsync` SET `custom_params` = '' WHERE `custom_params` LIKE '%pipemess%';");
+    // Mitigate imapsync argument injection issue
+    $pdo->query("UPDATE `imapsync` SET `custom_params` = '' 
+      WHERE `custom_params` LIKE '%pipemess%' 
+        OR custom_params LIKE '%skipmess%' 
+        OR custom_params LIKE '%delete2foldersonly%' 
+        OR custom_params LIKE '%delete2foldersbutnot%' 
+        OR custom_params LIKE '%regexflag%' 
+        OR custom_params LIKE '%pipemess%' 
+        OR custom_params LIKE '%regextrans2%' 
+        OR custom_params LIKE '%maxlinelengthcmd%';");
     
     // Migrate webauthn tfa
     $stmt = $pdo->query("ALTER TABLE `tfa` MODIFY COLUMN `authmech` ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')");

data/web/inc/vars.inc.php

@@ -232,131 +232,127 @@ $RSPAMD_MAPS = array(
 
 $IMAPSYNC_OPTIONS = array(
   'whitelist' => array(
-      'log',
-      'showpasswords',   
-      'nossl1',            
-      'nossl2',            
-      'ssl2',              
-      'notls1',             
-      'notls2',            
-      'tls2',              
-      'debugssl', 
-      'sslargs1',
-      'sslargs2', 
-      'authmech1',
-      'authmech2',
-      'authuser1', 
-      'authuser2',  
-      'proxyauth1',        
-      'proxyauth2',        
-      'authmd51',          
-      'authmd52',         
-      'domain1',
-      'domain2',
-      'oauthaccesstoken1',
-      'oauthaccesstoken2',
-      'oauthdirect1',
-      'oauthdirect2',
-      'folder',
-      'folder', 
-      'folderrec',
-      'folderrec', 
-      'folderfirst',
-      'folderfirst', 
-      'folderlast',
-      'folderlast',
-      'nomixfolders',  
-      'skipemptyfolders',
-      'include',
-      'include',
-      'subfolder1',
-      'subscribed',
-      'subscribe',  
-      'prefix1',
-      'prefix2',
-      'sep1',
-      'sep2',
-      'nofoldersizesatend',
-      'justfoldersizes', 
-      'pidfile', 
-      'pidfilelocking',  
-      'nolog',        
-      'logfile', 
-      'logdir',
-      'debugcrossduplicates', 
-      'disarmreadreceipts', 
-      'truncmess', 
-      'synclabels',     
-      'resynclabels',     
-      'resyncflags',   
-      'noresyncflags',  
-      'filterbuggyflags',  
-      'expunge1',       
-      'noexpunge1',    
-      'delete1emptyfolders',
-      'delete2folders',   
-      'noexpunge2',   
-      'nouidexpunge2',   
-      'syncinternaldates',
-      'idatefromheader', 
-      'maxsize',
-      'minsize',
-      'minage',
-      'search', 
-      'search1',
-      'search2', 
-      'noabletosearch',  
-      'noabletosearch1',   
-      'noabletosearch2',  
-      'maxlinelength',
-      'useheader',
-      'useheader',   
-      'syncduplicates',
-      'usecache',      
-      'nousecache',   
-      'useuid',     
-      'syncacls',
-      'nosyncacls',   
-      'debug',           
-      'debugfolders', 
-      'debugcontent',    
-      'debugflags',     
-      'debugimap1',   
-      'debugimap2',    
-      'debugimap',       
-      'debugmemory',     
-      'errorsmax',
-      'tests',      
-      'testslive',    
-      'testslive6',     
-      'gmail1',    
-      'gmail2',    
-      'office1',      
-      'office2',   
-      'exchange1',   
-      'exchange2',   
-      'domino1',  
-      'domino2',   
-      'keepalive1',   
-      'keepalive2',     
-      'maxmessagespersecond',
-      'maxbytesafter',
-      'maxsleep',
-      'abort',       
-      'exitwhenover',
-      'noid',  
-      'justconnect',   
-      'justlogin',  
-      'justfolders'
+    'authmech1',
+    'authmech2',
+    'authuser1', 
+    'authuser2', 
+    'debugcontent', 
+    'disarmreadreceipts', 
+    'logdir',
+    'debugcrossduplicates', 
+    'maxsize',
+    'minsize',
+    'minage',
+    'search', 
+    'noabletosearch', 
+    'pidfile', 
+    'pidfilelocking', 
+    'search1',
+    'search2', 
+    'sslargs1',
+    'sslargs2', 
+    'syncduplicates',
+    'usecache', 
+    'synclabels', 
+    'truncmess',  
+    'domino2',  
+    'expunge1',  
+    'filterbuggyflags',  
+    'justconnect',  
+    'justfolders',  
+    'maxlinelength',
+    'useheader',  
+    'noabletosearch1',  
+    'nolog',  
+    'prefix1',
+    'prefix2',
+    'sep1',
+    'sep2',
+    'nofoldersizesatend',
+    'justfoldersizes',  
+    'proxyauth1',  
+    'skipemptyfolders',
+    'include',
+    'subfolder1',
+    'subscribed',
+    'subscribe',   
+    'debug',   
+    'debugimap2',   
+    'domino1',   
+    'exchange1',   
+    'exchange2',   
+    'justlogin',   
+    'keepalive1',   
+    'keepalive2',   
+    'noabletosearch2',   
+    'noexpunge2',   
+    'noresyncflags',   
+    'nossl1',   
+    'nouidexpunge2',   
+    'syncinternaldates',
+    'idatefromheader',   
+    'useuid',    
+    'debugflags',    
+    'debugimap',    
+    'delete1emptyfolders',
+    'delete2folders',    
+    'gmail2',    
+    'office1',    
+    'testslive6',     
+    'debugimap1',     
+    'errorsmax',
+    'tests',     
+    'gmail1',     
+    'maxmessagespersecond',
+    'maxbytesafter',
+    'maxsleep',
+    'abort',     
+    'resyncflags',     
+    'resynclabels',     
+    'syncacls',
+    'nosyncacls',      
+    'nousecache',      
+    'office2',      
+    'testslive',       
+    'debugmemory',       
+    'exitwhenover',
+    'noid',       
+    'noexpunge1',        
+    'authmd51',        
+    'logfile',        
+    'proxyauth2',         
+    'domain1',
+    'domain2',
+    'oauthaccesstoken1',
+    'oauthaccesstoken2',
+    'oauthdirect1',
+    'oauthdirect2',
+    'folder',
+    'folderrec',
+    'folderfirst',
+    'folderlast',
+    'nomixfolders',          
+    'authmd52',           
+    'debugfolders',            
+    'nossl2',            
+    'ssl2',            
+    'tls2',             
+    'notls2',              
+    'debugssl',              
+    'notls1', 
+    'inet4',
+    'inet6',
+    'log',
+    'showpasswords'
   ),
   'blacklist' => array(
-      'skipmess',
-      'delete2foldersonly',
-      'delete2foldersbutnot',
-      'regexflag',
-      'regexmess',
-      'pipemess',
-      'regextrans2',
-      'maxlinelengthcmd'
+    'skipmess',
+    'delete2foldersonly',
+    'delete2foldersbutnot',
+    'regexflag',
+    'regexmess',
+    'pipemess',
+    'regextrans2',
+    'maxlinelengthcmd'
   )
 );