public/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-12-13 09:56:01 +00:00
Code Issues Releases Wiki Activity

[Web] Escape mailbox name before querying aliases

Browse Source
This commit is contained in:
FreddleSpl0it
2025-01-14 11:18:20 +01:00
parent 69f6a82905
commit abd789f629
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
data/web/inc/functions.mailbox.inc.php
View File

@@ -3768,7 +3768,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$data['external_sender_aliases'] = array();
// Fixed addresses
$stmt = $pdo->prepare("SELECT `address` FROM `alias` WHERE `goto` REGEXP :goto AND `address` NOT LIKE '@%'");
$stmt->execute(array(':goto' => '(^|,)'.$_data.'($|,)'));
$stmt->execute(array(':goto' => '(^|,)'.preg_quote($_data, '/').'($|,)'));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while ($row = array_shift($rows)) {
$data['fixed_sender_aliases'][] = $row['address'];
@@ -5534,7 +5534,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
));
$stmt = $pdo->prepare("SELECT `address`, `goto` FROM `alias`
WHERE `goto` REGEXP :username");
$stmt->execute(array(':username' => '(^|,)'.$username.'($|,)'));
$stmt->execute(array(':username' => '(^|,)'.preg_quote($username, '/').'($|,)'));
$GotoData = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($GotoData as $gotos) {
$goto_exploded = explode(',', $gotos['goto']);