From 88376566f9c93adec6e472c7282e13472e71f473 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 12 Dec 2025 16:12:37 +0000
Subject: [PATCH] Add validation for User-Agent in DEV_MODE bypass

Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>
---
 data/web/inc/sessions.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php
index 873d3e4e7..8dc86bc04 100644
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -134,12 +134,13 @@ if (isset($_POST["logout"])) {
 // Check session
 function session_check() {
   global $DEV_MODE;
+  
   if (isset($_SESSION['mailcow_cc_api']) && $_SESSION['mailcow_cc_api'] === true) {
     return true;
   }
   if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {
     // In development mode, allow User-Agent changes (e.g., for responsive testing in dev tools)
-    if ($DEV_MODE && isset($_SESSION['SESS_REMOTE_UA'])) {
+    if ($DEV_MODE && isset($_SESSION['SESS_REMOTE_UA']) && !empty($_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT']) < 500) {
       $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
       return true;
     }