diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php index 8c50c9c15..ac1bff033 100644 --- a/data/web/inc/footer.inc.php +++ b/data/web/inc/footer.inc.php @@ -12,7 +12,8 @@ $alertbox_log_parser = alertbox_log_parser($_SESSION); $alerts = []; if (is_array($alertbox_log_parser)) { foreach ($alertbox_log_parser as $log) { - $message = strtr($log['msg'], ["\n" => '', "\r" => '', "\t" => '
']); + $message = htmlspecialchars($log['msg'], ENT_QUOTES); + $message = strtr($message, ["\n" => '', "\r" => '', "\t" => '
']); $alerts[trim($log['type'], '"')][] = trim($message, '"'); } $alert = array_filter(array_unique($alerts)); diff --git a/data/web/inc/functions.rspamd.inc.php b/data/web/inc/functions.rspamd.inc.php index fd1c5bd6c..ec86919c3 100644 --- a/data/web/inc/functions.rspamd.inc.php +++ b/data/web/inc/functions.rspamd.inc.php @@ -143,6 +143,7 @@ function rspamd_maps($_action, $_data = null) { return false; } $maps = (array)$_data['map']; + $valid_maps = array(); foreach ($maps as $map) { foreach ($RSPAMD_MAPS as $rspamd_map_type) { if (!in_array($map, $rspamd_map_type)) { @@ -151,9 +152,12 @@ function rspamd_maps($_action, $_data = null) { 'log' => array(__FUNCTION__, $_action, '-'), 'msg' => array('global_map_invalid', $map) ); - continue; + } else { + array_push($valid_maps, $map); } } + } + foreach ($valid_maps as $map) { try { if (file_exists('/rspamd_custom_maps/' . $map)) { $map_content = trim($_data['rspamd_map_data']); diff --git a/data/web/json_api.php b/data/web/json_api.php index 079e79ce8..2458e6624 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -47,6 +47,12 @@ function api_log($_data) { } } +// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header. +if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') { + header('HTTP/1.1 403 Forbidden'); + exit; +} + if (isset($_GET['query'])) { $query = explode('/', $_GET['query']);