From 08cc7f673c377bf88897743e340097e93f1e95f4 Mon Sep 17 00:00:00 2001
From: ftimme <ft@falkotimme.com>
Date: Wed, 16 Jan 2013 09:30:05 -0500
Subject: [PATCH] - Changed regex for redirect path (Web sites, subdomains, vhost subdomains, alias domains) and web folder (vhost subdomains) so that ".." is not allowed (in order to prevent path traversals). - nginx: don't allow folders for proxy redirects (subdomains and alias domains); URL is required. - nginx: modified rewriting.

---
 interface/web/mail/mail_user_edit.php |   20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/interface/web/mail/mail_user_edit.php b/interface/web/mail/mail_user_edit.php
index 9fd3d5b..ca973c5 100644
--- a/interface/web/mail/mail_user_edit.php
+++ b/interface/web/mail/mail_user_edit.php
@@ -73,7 +73,8 @@
 		$email = $this->dataRecord["email"];
 		$email_parts = explode("@",$email);
 		$app->tpl->setVar("email_local_part",$email_parts[0]);
-		
+		$email_parts[1] = $app->functions->idn_decode($email_parts[1]);
+        
 		// Getting Domains of the user
 		// $sql = "SELECT domain, server_id FROM mail_domain WHERE ".$app->tform->getAuthSQL('r').' ORDER BY domain';
 		$sql = "SELECT domain, server_id FROM mail_domain WHERE domain NOT IN (SELECT SUBSTR(source,2) FROM mail_forwarding WHERE type = 'aliasdomain') AND ".$app->tform->getAuthSQL('r')." ORDER BY domain";
@@ -81,6 +82,7 @@
 		$domain_select = '';
 		if(is_array($domains)) {
 			foreach( $domains as $domain) {
+                $domain['domain'] = $app->functions->idn_decode($domain['domain']);
 				$selected = ($domain["domain"] == @$email_parts[1])?'SELECTED':'';
 				$domain_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";
 			}
@@ -115,6 +117,12 @@
 			$app->tpl->setVar("ar_active", '');
 		}
 		
+		if($this->dataRecord['autoresponder_subject'] == '') {
+			$app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject'));
+		} else {
+			$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']);
+		}
+		
     $app->uses('getconf');
     $mail_config = $app->getconf->get_global_config('mail');
 		if($mail_config["enable_custom_login"] == "y") {
@@ -131,8 +139,8 @@
 		
 		//* Check if Domain belongs to user
 		if(isset($_POST["email_domain"])) {
-			$domain = $app->db->queryOneRecord("SELECT server_id, domain FROM mail_domain WHERE domain = '".$app->db->quote($_POST["email_domain"])."' AND ".$app->tform->getAuthSQL('r'));
-			if($domain["domain"] != $_POST["email_domain"]) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
+			$domain = $app->db->queryOneRecord("SELECT server_id, domain FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["email_domain"]))."' AND ".$app->tform->getAuthSQL('r'));
+			if($domain["domain"] != $app->functions->idn_encode($_POST["email_domain"])) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
 		}
 		
 		
@@ -179,7 +187,7 @@
 		
 		//* compose the email field
 		if(isset($_POST["email_local_part"]) && isset($_POST["email_domain"])) {
-			$this->dataRecord["email"] = strtolower($_POST["email_local_part"]."@".$_POST["email_domain"]);
+			$this->dataRecord["email"] = strtolower($_POST["email_local_part"]."@".$app->functions->idn_encode($_POST["email_domain"]));
 		
 			// Set the server id of the mailbox = server ID of mail domain.
 			$this->dataRecord["server_id"] = $domain["server_id"];
@@ -225,7 +233,7 @@
 		global $app, $conf;
 		
 		// Set the domain owner as mailbox owner
-		$domain = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM mail_domain WHERE domain = '".$app->db->quote($_POST["email_domain"])."' AND ".$app->tform->getAuthSQL('r'));
+		$domain = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["email_domain"]))."' AND ".$app->tform->getAuthSQL('r'));
 		$app->db->query("UPDATE mail_user SET sys_groupid = ".$domain["sys_groupid"]." WHERE mailuser_id = ".$this->id);
 		
 		// Spamfilter policy
@@ -261,7 +269,7 @@
 		
 		// Set the domain owner as mailbox owner
 		if(isset($_POST["email_domain"])) {
-			$domain = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM mail_domain WHERE domain = '".$app->db->quote($_POST["email_domain"])."' AND ".$app->tform->getAuthSQL('r'));
+			$domain = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["email_domain"]))."' AND ".$app->tform->getAuthSQL('r'));
 			$app->db->query("UPDATE mail_user SET sys_groupid = ".$domain["sys_groupid"]." WHERE mailuser_id = ".$this->id);
 		
 			// Spamfilter policy

--
Gitblit v1.9.1