Path safety checks for API that actually work
This commit is contained in:
parent
5f82811ab3
commit
012ed1e825
31
web/api.php
31
web/api.php
|
@ -8,7 +8,16 @@ ini_set('display_errors', 1);
|
||||||
include_once(ROOT.DS.'inc'.DS.'core.php');
|
include_once(ROOT.DS.'inc'.DS.'core.php');
|
||||||
|
|
||||||
$action = strtolower($_REQUEST['a']);
|
$action = strtolower($_REQUEST['a']);
|
||||||
$email = basename(realpath(strtolower($_REQUEST['email'])));
|
$email = strtolower($_REQUEST['email']);
|
||||||
|
if(!empty($email)){
|
||||||
|
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
|
||||||
|
// email param provided, but invalid: skip action and show invalid email error
|
||||||
|
$o = array('status'=>'err','reason'=>'Invalid Email address');
|
||||||
|
unset($action);
|
||||||
|
}
|
||||||
|
$dir = getDirForEmail($email);
|
||||||
|
$email = basename($dir);
|
||||||
|
}
|
||||||
|
|
||||||
switch($action)
|
switch($action)
|
||||||
{
|
{
|
||||||
|
@ -20,10 +29,8 @@ switch($action)
|
||||||
case 'attachment':
|
case 'attachment':
|
||||||
$id = $_REQUEST['id'];
|
$id = $_REQUEST['id'];
|
||||||
$filename = basename(realpath($_REQUEST['filename']));
|
$filename = basename(realpath($_REQUEST['filename']));
|
||||||
$filepath = ROOT.DS.'..'.DS.'data'.DS.$email.DS.'attachments'.DS.$id.'-'.$filename;
|
$filepath = $dir.DS.'attachments'.DS.$id.'-'.$filename;
|
||||||
if(!filter_var($email, FILTER_VALIDATE_EMAIL))
|
if(!is_dir($dir))
|
||||||
$o = array('status'=>'err','reason'=>'Invalid Email address');
|
|
||||||
else if(!is_dir(ROOT.DS.'..'.DS.'data'.DS.$email))
|
|
||||||
$o = array('status'=>'err','reason'=>'No emails received on this address');
|
$o = array('status'=>'err','reason'=>'No emails received on this address');
|
||||||
else if(!is_numeric($id) || !emailIDExists($email,$id))
|
else if(!is_numeric($id) || !emailIDExists($email,$id))
|
||||||
$o = array('status'=>'err','reason'=>'Invalid Email ID');
|
$o = array('status'=>'err','reason'=>'Invalid Email ID');
|
||||||
|
@ -39,9 +46,9 @@ switch($action)
|
||||||
|
|
||||||
case 'load':
|
case 'load':
|
||||||
$id = $_REQUEST['id'];
|
$id = $_REQUEST['id'];
|
||||||
if(!filter_var($email, FILTER_VALIDATE_EMAIL))
|
if(empty($email))
|
||||||
$o = array('status'=>'err','reason'=>'Invalid Email address');
|
$o = array('status'=>'err','reason'=>'No email address provided');
|
||||||
else if(!is_dir(ROOT.DS.'..'.DS.'data'.DS.$email))
|
else if(!is_dir($dir))
|
||||||
$o = array('status'=>'err','reason'=>'No emails received on this address');
|
$o = array('status'=>'err','reason'=>'No emails received on this address');
|
||||||
else if(!is_numeric($id) || !emailIDExists($email,$id))
|
else if(!is_numeric($id) || !emailIDExists($email,$id))
|
||||||
$o = array('status'=>'err','reason'=>'Invalid Email ID');
|
$o = array('status'=>'err','reason'=>'Invalid Email ID');
|
||||||
|
@ -59,13 +66,11 @@ switch($action)
|
||||||
|
|
||||||
case 'list':
|
case 'list':
|
||||||
$settings = loadSettings();
|
$settings = loadSettings();
|
||||||
if(!filter_var($email, FILTER_VALIDATE_EMAIL))
|
if($settings['ADMIN'] && $settings['ADMIN']==$email)
|
||||||
$o = array('status'=>'err','reason'=>'Invalid Email address');
|
|
||||||
else if($settings['ADMIN'] && $settings['ADMIN']==$email)
|
|
||||||
{
|
{
|
||||||
$o['status'] = 'ok';
|
$o['status'] = 'ok';
|
||||||
$o['type'] = 'admin';
|
$o['type'] = 'admin';
|
||||||
$o['dateformat'] = $settings['DATEFORMAT'];
|
$o['dateformat'] = $settings['DATEFORMAT'];
|
||||||
$emails = listEmailAdresses();
|
$emails = listEmailAdresses();
|
||||||
$emaillist = array();
|
$emaillist = array();
|
||||||
|
|
||||||
|
@ -86,7 +91,7 @@ switch($action)
|
||||||
|
|
||||||
$o['emails']=$data;
|
$o['emails']=$data;
|
||||||
}
|
}
|
||||||
else if(!is_dir(ROOT.DS.'..'.DS.'data'.DS.$email))
|
else if(!is_dir($dir))
|
||||||
$o = array('status'=>'ok','emails'=>[]);
|
$o = array('status'=>'ok','emails'=>[]);
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue