Fix DEV_MODE bypass to work when SESS_REMOTE_UA not set

Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>

data/Dockerfiles/dovecot/imapsync_runner.pl

@@ -117,77 +117,51 @@ while ($row = $sth->fetchrow_arrayref()) {
   if ($enc1 eq "TLS") { $enc1 = "--tls1"; } elsif ($enc1 eq "SSL") { $enc1 = "--ssl1"; } else { undef $enc1; }
 
   my $template = $run_dir . '/imapsync.XXXXXXX';
+  my $passfile1 = File::Temp->new(TEMPLATE => $template);
   my $passfile2 = File::Temp->new(TEMPLATE => $template);
   
+  binmode( $passfile1, ":utf8" );
+  
+  print $passfile1 "$password1\n";
   print $passfile2 trim($master_pass) . "\n";
 
   my @custom_params_a = qqw($custom_params);
   my $custom_params_ref = \@custom_params_a;
 
-  # Helper function to run imapsync with a specific encoding for password1
+  my $generated_cmds = [ "/usr/local/bin/imapsync",
-  my $run_imapsync = sub {
+  "--tmpdir", "/tmp",
-    my ($encoding) = @_;
+  "--nofoldersizes",
-    
+  "--addheader",
-    my $passfile1 = File::Temp->new(TEMPLATE => $template);
+  ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
-    
+  ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
-    if ($encoding eq 'utf8') {
+  ($exclude eq "" ? () : ("--exclude", $exclude)),
-      binmode( $passfile1, ":utf8" );
+  ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
-    } elsif ($encoding eq 'latin1') {
+  ($maxage eq "0" ? () : ('--maxage', $maxage)),
-      binmode( $passfile1, ":encoding(iso-8859-1)" );
+  ($maxbytespersecond eq "0" ? () : ('--maxbytespersecond', $maxbytespersecond)),
-    }
+  ($delete2duplicates ne "1" ? () : ('--delete2duplicates')),
-    
+  ($subscribeall  ne "1" ? () : ('--subscribeall')),
-    print $passfile1 "$password1\n";
+  ($delete1 ne "1" ? () : ('--delete')),
-    $passfile1->flush();
+  ($delete2 ne "1" ? () : ('--delete2')),
-
+  ($automap ne "1" ? () : ('--automap')),
-    my $generated_cmds = [ "/usr/local/bin/imapsync",
+  ($skipcrossduplicates ne "1" ? () : ('--skipcrossduplicates')),
-    "--tmpdir", "/tmp",
+  (!defined($enc1) ? () : ($enc1)),
-    "--nofoldersizes",
+  "--host1", $host1,
-    "--addheader",
+  "--user1", $user1,
-    ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
+  "--passfile1", $passfile1->filename,
-    ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
+  "--port1", $port1,
-    ($exclude eq "" ? () : ("--exclude", $exclude)),
+  "--host2", "localhost",
-    ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
+  "--user2", $user2 . '*' . trim($master_user),
-    ($maxage eq "0" ? () : ('--maxage', $maxage)),
+  "--passfile2", $passfile2->filename,
-    ($maxbytespersecond eq "0" ? () : ('--maxbytespersecond', $maxbytespersecond)),
+  ($dry eq "1" ? ('--dry') : ()),
-    ($delete2duplicates ne "1" ? () : ('--delete2duplicates')),
+  '--no-modulesversion',
-    ($subscribeall  ne "1" ? () : ('--subscribeall')),
+  '--noreleasecheck'];
-    ($delete1 ne "1" ? () : ('--delete')),
-    ($delete2 ne "1" ? () : ('--delete2')),
-    ($automap ne "1" ? () : ('--automap')),
-    ($skipcrossduplicates ne "1" ? () : ('--skipcrossduplicates')),
-    (!defined($enc1) ? () : ($enc1)),
-    "--host1", $host1,
-    "--user1", $user1,
-    "--passfile1", $passfile1->filename,
-    "--port1", $port1,
-    "--host2", "localhost",
-    "--user2", $user2 . '*' . trim($master_user),
-    "--passfile2", $passfile2->filename,
-    ($dry eq "1" ? ('--dry') : ()),
-    '--no-modulesversion',
-    '--noreleasecheck'];
-
-    my $stdout;
-    run [@$generated_cmds, @$custom_params_ref], '&>', \$stdout;
-    
-    return $stdout;
-  };
 
   try {
     $is_running = $dbh->prepare("UPDATE imapsync SET is_running = 1, success = NULL, exit_status = NULL WHERE id = ?");
     $is_running->bind_param( 1, ${id} );
     $is_running->execute();
 
-    # First attempt with UTF-8 encoding (default behavior)
+    run [@$generated_cmds, @$custom_params_ref], '&>', \my $stdout;
-    my $stdout = $run_imapsync->('utf8');
-
-    # Check if authentication failed
-    my $auth_failed = ($stdout =~ /\b(LOGIN failed|authentication failed|AUTHENTICATIONFAILED)\b/i);
-    
-    # If authentication failed with UTF-8, retry with Latin-1 encoding for legacy passwords
-    if ($auth_failed) {
-      $stdout = $run_imapsync->('latin1');
-    }
 
     # check exit code and status
     ($exit_code, $exit_status) = ($stdout =~ m/Exiting\swith\sreturn\svalue\s(\d+)\s\(([^:)]+)/);

data/web/inc/functions.inc.php

@@ -3397,6 +3397,8 @@ function set_user_loggedin_session($user) {
   session_regenerate_id(true);
   $_SESSION['mailcow_cc_username'] = $user;
   $_SESSION['mailcow_cc_role'] = 'user';
+  // Update User-Agent after session regeneration to prevent validation errors
+  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
   $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
   $_SESSION['sogo-sso-user-allowed'][] = $user;
   $_SESSION['sogo-sso-pass'] = $sogo_sso_pass;

data/web/inc/sessions.inc.php

@@ -43,6 +43,9 @@ if (!isset($_SESSION['SESS_REMOTE_UA'])) {
 if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) {
   session_unset();
   session_destroy();
+  session_start();
+  // After destroying session, we need to reset the User-Agent for the new session
+  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 }
 $_SESSION['LAST_ACTIVITY'] = time();
 
@@ -134,6 +137,12 @@ function session_check() {
     return true;
   }
   if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {
+    // In development mode, allow User-Agent changes (e.g., for responsive testing in dev tools)
+    // Validate UA is not empty and has reasonable length (most UAs are under 200 chars, 500 is safe upper limit)
+    if (isset($GLOBALS['DEV_MODE']) && $GLOBALS['DEV_MODE'] && !empty($_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT']) < 500) {
+      $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
+      return true;
+    }
     $_SESSION['return'][] = array(
       'type' => 'warning',
       'msg' => 'session_ua'

data/web/inc/triggers.admin.inc.php

@@ -50,6 +50,8 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
     session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "admin";
+		// Update User-Agent after session regeneration to prevent validation errors
+		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /admin/dashboard");
     die();
 	}

data/web/inc/triggers.domainadmin.inc.php

@@ -7,6 +7,8 @@ if (!empty($_GET['sso_token'])) {
     session_regenerate_id(true);
     $_SESSION['mailcow_cc_username'] = $username;
     $_SESSION['mailcow_cc_role'] = 'domainadmin';
+    // Update User-Agent after session regeneration to prevent validation errors
+    $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
     header('Location: /domainadmin/mailbox');
   }
 }
@@ -61,6 +63,8 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
     session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "domainadmin";
+		// Update User-Agent after session regeneration to prevent validation errors
+		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /domainadmin/mailbox");
     die();
 	}