fix incorrect security check on mail-directories where various special-characters are allowed, fixes #1458

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
2014-10-01 07:29:25 +02:00
parent cbab67a2fd
commit 480e3a8bfd
3 changed files with 30 additions and 19 deletions
--- a/scripts/jobs/cron_mailboxsize.php
+++ b/scripts/jobs/cron_mailboxsize.php
@@ -35,7 +35,9 @@ while ($maildir = $maildirs_stmt->fetch(PDO::FETCH_ASSOC)) {
 	if (file_exists($_maildir)
 		&& is_dir($_maildir)
 	) {
-		$back = safe_exec('du -sk ' . escapeshellarg($_maildir) . '');
+		// mail-adress allows many special characters, see http://en.wikipedia.org/wiki/Email_address#Local_part
+		$return = false;
+		$back = safe_exec('du -sk ' . escapeshellarg($_maildir), $return, array('|', '&', '`', '$', '~', '?'));
 		foreach ($back as $backrow) {
 			$emailusage = explode(' ', $backrow);
 		}
--- a/scripts/jobs/cron_tasks.php
+++ b/scripts/jobs/cron_tasks.php
@@ -210,7 +210,9 @@ while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
 					&& filegroup($maildir) == Settings::Get('system.vmail_gid')
 				) {
 					$cronlog->logAction(CRON_ACTION, LOG_NOTICE, 'Running: rm -rf ' . escapeshellarg($maildir));
-					safe_exec('rm -rf '.escapeshellarg($maildir));
+					// mail-adress allows many special characters, see http://en.wikipedia.org/wiki/Email_address#Local_part
+					$return = false;
+					safe_exec('rm -rf '.escapeshellarg($maildir), $return, array('|', '&', '`', '$', '~', '?'));
 				}

 				// remove tmpdir if it exists
@@ -281,7 +283,9 @@ while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
 					&& filegroup($maildir) == Settings::Get('system.vmail_gid')
 				) {
 					$cronlog->logAction(CRON_ACTION, LOG_NOTICE, 'Running: rm -rf ' . escapeshellarg($maildir));
-					safe_exec('rm -rf '.escapeshellarg($maildir));
+					// mail-adress allows many special characters, see http://en.wikipedia.org/wiki/Email_address#Local_part
+					$return = false;
+					safe_exec('rm -rf '.escapeshellarg($maildir), $return, array('|', '&', '`', '$', '~', '?'));

 				} else {
 					// backward-compatibility for old folder-structure
@@ -296,7 +300,9 @@ while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
 						&& filegroup($maildir_old) == Settings::Get('system.vmail_gid')
 					) {
 						$cronlog->logAction(CRON_ACTION, LOG_NOTICE, 'Running: rm -rf ' . escapeshellarg($maildir_old));
-						safe_exec('rm -rf '.escapeshellarg($maildir_old));
+						// mail-adress allows many special characters, see http://en.wikipedia.org/wiki/Email_address#Local_part
+						$return = false;
+						safe_exec('rm -rf '.escapeshellarg($maildir_old), $return, array('|', '&', '`', '$', '~', '?'));
 					}
 				}
 			}