diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php
index 8c50c9c15..ac1bff033 100644
--- a/data/web/inc/footer.inc.php
+++ b/data/web/inc/footer.inc.php
@@ -12,7 +12,8 @@ $alertbox_log_parser = alertbox_log_parser($_SESSION);
$alerts = [];
if (is_array($alertbox_log_parser)) {
foreach ($alertbox_log_parser as $log) {
- $message = strtr($log['msg'], ["\n" => '', "\r" => '', "\t" => '
']);
+ $message = htmlspecialchars($log['msg'], ENT_QUOTES);
+ $message = strtr($message, ["\n" => '', "\r" => '', "\t" => '
']);
$alerts[trim($log['type'], '"')][] = trim($message, '"');
}
$alert = array_filter(array_unique($alerts));
diff --git a/data/web/inc/functions.rspamd.inc.php b/data/web/inc/functions.rspamd.inc.php
index fd1c5bd6c..ec86919c3 100644
--- a/data/web/inc/functions.rspamd.inc.php
+++ b/data/web/inc/functions.rspamd.inc.php
@@ -143,6 +143,7 @@ function rspamd_maps($_action, $_data = null) {
return false;
}
$maps = (array)$_data['map'];
+ $valid_maps = array();
foreach ($maps as $map) {
foreach ($RSPAMD_MAPS as $rspamd_map_type) {
if (!in_array($map, $rspamd_map_type)) {
@@ -151,9 +152,12 @@ function rspamd_maps($_action, $_data = null) {
'log' => array(__FUNCTION__, $_action, '-'),
'msg' => array('global_map_invalid', $map)
);
- continue;
+ } else {
+ array_push($valid_maps, $map);
}
}
+ }
+ foreach ($valid_maps as $map) {
try {
if (file_exists('/rspamd_custom_maps/' . $map)) {
$map_content = trim($_data['rspamd_map_data']);
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 079e79ce8..2458e6624 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -47,6 +47,12 @@ function api_log($_data) {
}
}
+// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
+if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
+ header('HTTP/1.1 403 Forbidden');
+ exit;
+}
+
if (isset($_GET['query'])) {
$query = explode('/', $_GET['query']);