From 6824a5650f265d0e5b347064654ebe33b1895fa8 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Fri, 21 Apr 2023 11:21:43 +0200 Subject: [PATCH] [Web] Fix BCC validation --- .../inc/functions.address_rewriting.inc.php | 4 ++- data/web/inc/functions.mailbox.inc.php | 33 +++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/data/web/inc/functions.address_rewriting.inc.php b/data/web/inc/functions.address_rewriting.inc.php index 8193c0527..140ae4764 100644 --- a/data/web/inc/functions.address_rewriting.inc.php +++ b/data/web/inc/functions.address_rewriting.inc.php @@ -49,7 +49,9 @@ function bcc($_action, $_data = null, $_attr = null) { } elseif (filter_var($local_dest, FILTER_VALIDATE_EMAIL)) { $mailbox = mailbox('get', 'mailbox_details', $local_dest); - if ($mailbox === false && array_key_exists($local_dest, array_merge($direct_aliases, $shared_aliases)) === false) { + $shared_aliases = mailbox('get', 'shared_aliases'); + $direct_aliases = mailbox('get', 'direct_aliases'); + if ($mailbox === false && in_array($local_dest, array_merge($direct_aliases, $shared_aliases)) === false) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_data, $_attr), diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index 4e036b99c..bd2584839 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -3965,6 +3965,39 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { } return $aliasdomaindata; break; + case 'shared_aliases': + $shared_aliases = array(); + $stmt = $pdo->query("SELECT `address` FROM `alias` + WHERE `goto` REGEXP ',' + AND `address` NOT LIKE '@%' + AND `goto` != `address`"); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $domain = explode("@", $row['address'])[1]; + if (hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) { + $shared_aliases[] = $row['address']; + } + } + + return $shared_aliases; + break; + case 'direct_aliases': + $direct_aliases = array(); + $stmt = $pdo->query("SELECT `address` FROM `alias` + WHERE `goto` NOT LIKE '%,%' + AND `address` NOT LIKE '@%' + AND `goto` != `address`"); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + + while($row = array_shift($rows)) { + $domain = explode("@", $row['address'])[1]; + if (hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) { + $direct_aliases[] = $row['address']; + } + } + + return $direct_aliases; + break; case 'domains': $domains = array(); if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {