Commit 38b7cb39 authored by tbrehm's avatar tbrehm
Browse files

Improved config file name in getmail plugin.

parent b7d77da2
......@@ -91,7 +91,7 @@ class getmail_plugin {
$this->delete($event_name,$data);
// Get the new config file path
$config_file_path = escapeshellcmd($this->getmail_config_dir.'/'.$data["new"]["source_server"].'_'.$data["new"]["source_username"].'.conf');
$config_file_path = escapeshellcmd($this->getmail_config_dir.'/'.$this->_clean_path($data["new"]["source_server"]).'_'.$this->_clean_path($data["new"]["source_username"]).'.conf');
if(stristr($config_file_path, "..") or stristr($config_file_path, "|") or stristr($config_file_path,";") or stristr($config_file_path,'$')) {
$app->log("Possibly faked path for getmail config file: '$config_file_path'. File is not written.",LOGLEVEL_ERROR);
return false;
......@@ -155,7 +155,7 @@ class getmail_plugin {
$getmail_config = $app->getconf->get_server_config($conf["server_id"], 'getmail');
$this->getmail_config_dir = $getmail_config["getmail_config_dir"];
$config_file_path = escapeshellcmd($this->getmail_config_dir.'/'.$data["old"]["source_server"].'_'.$data["old"]["source_username"].'.conf');
$config_file_path = escapeshellcmd($this->getmail_config_dir.'/'.$this->_clean_path($data["old"]["source_server"]).'_'.$this->_clean_path($data["old"]["source_username"]).'.conf');
if(stristr($config_file_path,"..") || stristr($config_file_path,"|") || stristr($config_file_path,";") || stristr($config_file_path,'$')) {
$app->log("Possibly faked path for getmail config file: '$config_file_path'. File is not written.",LOGLEVEL_ERROR);
return false;
......@@ -163,6 +163,10 @@ class getmail_plugin {
if(is_file($config_file_path)) unlink($config_file_path);
}
function _clean_path($input) {
return preg_replace('/[^A-Za-z0-9\-_]/', '_', $input);
}
} // end class
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment