Fix security hole in AliasHandler

Without this fix it is possible to delete a protected alias via editing the request parameter of the alias to delete.
7 years ago · 7bb36d0bbc
parent e56727fe09
commit 7bb36d0bbc
2 changed files with 6 additions and 0 deletions
--- a/languages/en.lang
+++ b/languages/en.lang
@ -128,6 +128,7 @@ $PALANG['pCreate_alias_result_success'] = 'The alias %s has been created!';
 $PALANG['alias_updated'] = 'The alias %s has been updated!';
 $PALANG['pCreate_alias_catchall_text'] = 'To create a catch-all use an "*" as alias.'; # XXX don't propagate usage of *@target-domain.com for domain-aliasing any longer
 $PALANG['mailbox_alias_cant_be_deleted'] = 'This alias belongs to a mailbox and can\'t be deleted!';
+$PALANG['protected_alias_cant_be_deleted'] = 'The alias %s is protected and can only be deleted by a superadmin';

 $PALANG['pEdit_alias_welcome'] = 'Edit forwarding settings';
 $PALANG['pEdit_alias_help'] = 'Accepts multiple targets, one entry per line.';
--- a/model/AliasHandler.php
+++ b/model/AliasHandler.php
@ -441,6 +441,11 @@ class AliasHandler extends PFAHandler {
            return false;
        }

+        if ($this->can_delete) {
+            $this->errormsg[] = Config::Lang_f('protected_alias_cant_be_deleted', $this->id);
+            return false;
+        }
+
        db_delete('alias', 'address', $this->id);

        list(/*NULL*/,$domain) = explode('@', $this->id);