Fix security hole in AliasHandler

Without this fix it is possible to delete a protected alias via editing
the request parameter of the alias to delete.
pull/23/head
Jan-Frederik Rieckers 8 years ago
parent e56727fe09
commit 7bb36d0bbc
No known key found for this signature in database
GPG Key ID: 664B03955EA04DEF

@ -128,6 +128,7 @@ $PALANG['pCreate_alias_result_success'] = 'The alias %s has been created!';
$PALANG['alias_updated'] = 'The alias %s has been updated!';
$PALANG['pCreate_alias_catchall_text'] = 'To create a catch-all use an "*" as alias.'; # XXX don't propagate usage of *@target-domain.com for domain-aliasing any longer
$PALANG['mailbox_alias_cant_be_deleted'] = 'This alias belongs to a mailbox and can\'t be deleted!';
$PALANG['protected_alias_cant_be_deleted'] = 'The alias %s is protected and can only be deleted by a superadmin';
$PALANG['pEdit_alias_welcome'] = 'Edit forwarding settings';
$PALANG['pEdit_alias_help'] = 'Accepts multiple targets, one entry per line.';

@ -441,6 +441,11 @@ class AliasHandler extends PFAHandler {
return false;
}
if ($this->can_delete) {
$this->errormsg[] = Config::Lang_f('protected_alias_cant_be_deleted', $this->id);
return false;
}
db_delete('alias', 'address', $this->id);
list(/*NULL*/,$domain) = explode('@', $this->id);

Loading…
Cancel
Save