From 5f82811ab35bbd5fac0d5a671c874398071ac55d Mon Sep 17 00:00:00 2001 From: Dan Q Date: Thu, 12 Aug 2021 09:04:14 +0100 Subject: [PATCH 1/5] Add getDirForEmail to perform realPath filtering in core --- web/inc/core.php | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/web/inc/core.php b/web/inc/core.php index e6593ea..2e4ba23 100644 --- a/web/inc/core.php +++ b/web/inc/core.php @@ -1,5 +1,10 @@ $json['parsed']['from'],'subject'=>$json['parsed']['subject']); } } @@ -66,4 +71,4 @@ function loadSettings() if(file_exists(ROOT.DS.'..'.DS.'config.ini')) return parse_ini_file(ROOT.DS.'..'.DS.'config.ini'); return false; -} \ No newline at end of file +} From 012ed1e82590427bfb11f9adc1f0397b525a8435 Mon Sep 17 00:00:00 2001 From: Dan Q Date: Thu, 12 Aug 2021 09:05:10 +0100 Subject: [PATCH 2/5] Path safety checks for API that actually work --- web/api.php | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/web/api.php b/web/api.php index 669f614..12cc7dc 100644 --- a/web/api.php +++ b/web/api.php @@ -8,7 +8,16 @@ ini_set('display_errors', 1); include_once(ROOT.DS.'inc'.DS.'core.php'); $action = strtolower($_REQUEST['a']); -$email = basename(realpath(strtolower($_REQUEST['email']))); +$email = strtolower($_REQUEST['email']); +if(!empty($email)){ + if(!filter_var($email, FILTER_VALIDATE_EMAIL)){ + // email param provided, but invalid: skip action and show invalid email error + $o = array('status'=>'err','reason'=>'Invalid Email address'); + unset($action); + } + $dir = getDirForEmail($email); + $email = basename($dir); +} switch($action) { @@ -20,10 +29,8 @@ switch($action) case 'attachment': $id = $_REQUEST['id']; $filename = basename(realpath($_REQUEST['filename'])); - $filepath = ROOT.DS.'..'.DS.'data'.DS.$email.DS.'attachments'.DS.$id.'-'.$filename; - if(!filter_var($email, FILTER_VALIDATE_EMAIL)) - $o = array('status'=>'err','reason'=>'Invalid Email address'); - else if(!is_dir(ROOT.DS.'..'.DS.'data'.DS.$email)) + $filepath = $dir.DS.'attachments'.DS.$id.'-'.$filename; + if(!is_dir($dir)) $o = array('status'=>'err','reason'=>'No emails received on this address'); else if(!is_numeric($id) || !emailIDExists($email,$id)) $o = array('status'=>'err','reason'=>'Invalid Email ID'); @@ -39,9 +46,9 @@ switch($action) case 'load': $id = $_REQUEST['id']; - if(!filter_var($email, FILTER_VALIDATE_EMAIL)) - $o = array('status'=>'err','reason'=>'Invalid Email address'); - else if(!is_dir(ROOT.DS.'..'.DS.'data'.DS.$email)) + if(empty($email)) + $o = array('status'=>'err','reason'=>'No email address provided'); + else if(!is_dir($dir)) $o = array('status'=>'err','reason'=>'No emails received on this address'); else if(!is_numeric($id) || !emailIDExists($email,$id)) $o = array('status'=>'err','reason'=>'Invalid Email ID'); @@ -58,14 +65,12 @@ switch($action) break; case 'list': - $settings = loadSettings(); - if(!filter_var($email, FILTER_VALIDATE_EMAIL)) - $o = array('status'=>'err','reason'=>'Invalid Email address'); - else if($settings['ADMIN'] && $settings['ADMIN']==$email) + $settings = loadSettings(); + if($settings['ADMIN'] && $settings['ADMIN']==$email) { $o['status'] = 'ok'; $o['type'] = 'admin'; - $o['dateformat'] = $settings['DATEFORMAT']; + $o['dateformat'] = $settings['DATEFORMAT']; $emails = listEmailAdresses(); $emaillist = array(); @@ -86,7 +91,7 @@ switch($action) $o['emails']=$data; } - else if(!is_dir(ROOT.DS.'..'.DS.'data'.DS.$email)) + else if(!is_dir($dir)) $o = array('status'=>'ok','emails'=>[]); else { From 09538300d60ff4f21a6edc38a811254352badf9b Mon Sep 17 00:00:00 2001 From: Dan Q Date: Thu, 12 Aug 2021 09:05:36 +0100 Subject: [PATCH 3/5] Add provided (sanitised) email to output JSON --- web/api.php | 1 + 1 file changed, 1 insertion(+) diff --git a/web/api.php b/web/api.php index 12cc7dc..2c97656 100644 --- a/web/api.php +++ b/web/api.php @@ -112,5 +112,6 @@ switch($action) break; } +$o['email'] = $email; echo json_encode($o); //var_dump($o); From d9a215e315c6e6a0a9a7728a545171c17e522741 Mon Sep 17 00:00:00 2001 From: Dan Q Date: Thu, 12 Aug 2021 09:11:22 +0100 Subject: [PATCH 4/5] Removed debug code Adding the email to the output breaks e.g. getting the list of domains (which breaks generating random addresses) --- web/api.php | 1 - 1 file changed, 1 deletion(-) diff --git a/web/api.php b/web/api.php index 2c97656..12cc7dc 100644 --- a/web/api.php +++ b/web/api.php @@ -112,6 +112,5 @@ switch($action) break; } -$o['email'] = $email; echo json_encode($o); //var_dump($o); From 7543c005b59ac11958ca2146390b3b4dcdc1960b Mon Sep 17 00:00:00 2001 From: Dan Q Date: Thu, 12 Aug 2021 09:19:22 +0100 Subject: [PATCH 5/5] Ensure email ID is an integer Inspired by PR #28. --- web/api.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/api.php b/web/api.php index 12cc7dc..4b1839f 100644 --- a/web/api.php +++ b/web/api.php @@ -27,7 +27,7 @@ switch($action) $o = explode(',',$settings['DOMAINS']); break; case 'attachment': - $id = $_REQUEST['id']; + $id = intval($_REQUEST['id']); $filename = basename(realpath($_REQUEST['filename'])); $filepath = $dir.DS.'attachments'.DS.$id.'-'.$filename; if(!is_dir($dir)) @@ -45,7 +45,7 @@ switch($action) break; case 'load': - $id = $_REQUEST['id']; + $id = intval($_REQUEST['id']); if(empty($email)) $o = array('status'=>'err','reason'=>'No email address provided'); else if(!is_dir($dir))