Merge pull request #32 from Dan-Q/master

Fix the fix to path traversal attack, refactor

web/api.php

@@ -8,7 +8,16 @@ ini_set('display_errors', 1);
 include_once(ROOT.DS.'inc'.DS.'core.php');
 
 $action = strtolower($_REQUEST['a']);
-$email = basename(realpath(strtolower($_REQUEST['email'])));
+$email = strtolower($_REQUEST['email']);
+if(!empty($email)){
+  if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
+    // email param provided, but invalid: skip action and show invalid email error
+    $o = array('status'=>'err','reason'=>'Invalid Email address');
+    unset($action);
+  }
+  $dir = getDirForEmail($email);
+  $email = basename($dir);
+}
 
 switch($action)
 {
@@ -18,12 +27,10 @@ switch($action)
             $o = explode(',',$settings['DOMAINS']);
     break;
     case 'attachment':
-        $id = $_REQUEST['id'];
+        $id = intval($_REQUEST['id']);
         $filename = basename(realpath($_REQUEST['filename']));
-        $filepath = ROOT.DS.'..'.DS.'data'.DS.$email.DS.'attachments'.DS.$id.'-'.$filename;
-        if(!filter_var($email, FILTER_VALIDATE_EMAIL))
-            $o = array('status'=>'err','reason'=>'Invalid Email address');
-        else if(!is_dir(ROOT.DS.'..'.DS.'data'.DS.$email))
+        $filepath = $dir.DS.'attachments'.DS.$id.'-'.$filename;
+        if(!is_dir($dir))
             $o = array('status'=>'err','reason'=>'No emails received on this address');
         else if(!is_numeric($id) || !emailIDExists($email,$id))
             $o = array('status'=>'err','reason'=>'Invalid Email ID');
@@ -38,10 +45,10 @@ switch($action)
     break;
 
     case 'load':
-        $id = $_REQUEST['id'];
-        if(!filter_var($email, FILTER_VALIDATE_EMAIL))
-            $o = array('status'=>'err','reason'=>'Invalid Email address');
-        else if(!is_dir(ROOT.DS.'..'.DS.'data'.DS.$email))
+        $id = intval($_REQUEST['id']);
+        if(empty($email))
+            $o = array('status'=>'err','reason'=>'No email address provided');
+        else if(!is_dir($dir))
             $o = array('status'=>'err','reason'=>'No emails received on this address');
         else if(!is_numeric($id) || !emailIDExists($email,$id))
             $o = array('status'=>'err','reason'=>'Invalid Email ID');
@@ -58,14 +65,12 @@ switch($action)
     break;
 
     case 'list':
-        $settings = loadSettings();
-        if(!filter_var($email, FILTER_VALIDATE_EMAIL))
-            $o = array('status'=>'err','reason'=>'Invalid Email address');
-        else if($settings['ADMIN'] && $settings['ADMIN']==$email)
+        $settings = loadSettings();        
+        if($settings['ADMIN'] && $settings['ADMIN']==$email)
         {
             $o['status'] = 'ok';
             $o['type'] = 'admin';
-			$o['dateformat'] = $settings['DATEFORMAT'];
+                        $o['dateformat'] = $settings['DATEFORMAT'];
             $emails = listEmailAdresses();
             $emaillist = array();
             
@@ -86,7 +91,7 @@ switch($action)
 
             $o['emails']=$data;
         }
-        else if(!is_dir(ROOT.DS.'..'.DS.'data'.DS.$email))
+        else if(!is_dir($dir))
             $o = array('status'=>'ok','emails'=>[]);
         else
         {

web/inc/core.php

@@ -1,5 +1,10 @@
 <?php
 
+function getDirForEmail($email)
+{
+    return realpath(ROOT.DS.'..'.DS.'data'.DS.$email);
+}
+
 function startsWith($haystack, $needle)
 {
      $length = strlen($needle);
@@ -18,22 +23,22 @@ function endsWith($haystack, $needle)
 
 function getEmail($email,$id)
 {
-    return json_decode(file_get_contents(ROOT.DS.'..'.DS.'data'.DS.$email.DS.$id.'.json'),true);
+    return json_decode(file_get_contents(getDirForEmail($email).DS.$id.'.json'),true);
 }
 
 function emailIDExists($email,$id)
 {
-    return file_exists(ROOT.DS.'..'.DS.'data'.DS.$email.DS.$id.'.json');
+    return file_exists(getDirForEmail($email).DS.$id.'.json');
 }
 
 function getEmailsOfEmail($email)
 {
     $o = false;
-    if ($handle = opendir(ROOT.DS.'..'.DS.'data'.DS.$email)) {
+    if ($handle = opendir(getDirForEmail($email))) {
         while (false !== ($entry = readdir($handle))) {
             if (endsWith($entry,'.json')) {
                 $time = substr($entry,0,-5);
-                $json = json_decode(file_get_contents(ROOT.DS.'..'.DS.'data'.DS.$email.DS.$entry),true);
+                $json = json_decode(file_get_contents(getDirForEmail($email).DS.$entry),true);
                 $o[$time] = array('from'=>$json['parsed']['from'],'subject'=>$json['parsed']['subject']);
             }
         }
@@ -66,4 +71,4 @@ function loadSettings()
     if(file_exists(ROOT.DS.'..'.DS.'config.ini'))
         return parse_ini_file(ROOT.DS.'..'.DS.'config.ini');
     return false;
-}
+}