mirror of
https://github.com/postfixadmin/postfixadmin.git
synced 2024-09-20 03:36:20 +02:00
Fix security hole in AliasHandler
Without this fix it is possible to delete a protected alias via editing the request parameter of the alias to delete.
This commit is contained in:
parent
e56727fe09
commit
7bb36d0bbc
@ -128,6 +128,7 @@ $PALANG['pCreate_alias_result_success'] = 'The alias %s has been created!';
|
|||||||
$PALANG['alias_updated'] = 'The alias %s has been updated!';
|
$PALANG['alias_updated'] = 'The alias %s has been updated!';
|
||||||
$PALANG['pCreate_alias_catchall_text'] = 'To create a catch-all use an "*" as alias.'; # XXX don't propagate usage of *@target-domain.com for domain-aliasing any longer
|
$PALANG['pCreate_alias_catchall_text'] = 'To create a catch-all use an "*" as alias.'; # XXX don't propagate usage of *@target-domain.com for domain-aliasing any longer
|
||||||
$PALANG['mailbox_alias_cant_be_deleted'] = 'This alias belongs to a mailbox and can\'t be deleted!';
|
$PALANG['mailbox_alias_cant_be_deleted'] = 'This alias belongs to a mailbox and can\'t be deleted!';
|
||||||
|
$PALANG['protected_alias_cant_be_deleted'] = 'The alias %s is protected and can only be deleted by a superadmin';
|
||||||
|
|
||||||
$PALANG['pEdit_alias_welcome'] = 'Edit forwarding settings';
|
$PALANG['pEdit_alias_welcome'] = 'Edit forwarding settings';
|
||||||
$PALANG['pEdit_alias_help'] = 'Accepts multiple targets, one entry per line.';
|
$PALANG['pEdit_alias_help'] = 'Accepts multiple targets, one entry per line.';
|
||||||
|
@ -441,6 +441,11 @@ class AliasHandler extends PFAHandler {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($this->can_delete) {
|
||||||
|
$this->errormsg[] = Config::Lang_f('protected_alias_cant_be_deleted', $this->id);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
db_delete('alias', 'address', $this->id);
|
db_delete('alias', 'address', $this->id);
|
||||||
|
|
||||||
list(/*NULL*/,$domain) = explode('@', $this->id);
|
list(/*NULL*/,$domain) = explode('@', $this->id);
|
||||||
|
Loading…
Reference in New Issue
Block a user