http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=13951 diff -Naur squirrelmail-1.4.20/plugins/mail_fetch/config_example.php squirrelmail-1.4.20.oden/plugins/mail_fetch/config_example.php --- squirrelmail-1.4.20/plugins/mail_fetch/config_example.php 1970-01-01 01:00:00.000000000 +0100 +++ squirrelmail-1.4.20.oden/plugins/mail_fetch/config_example.php 2010-06-21 12:52:45.711770310 +0200 @@ -0,0 +1,62 @@ +<?php + +/** + * mail_fetch/config_example.php + * + * Configuration file for the mailfetch plugin. + * + * @copyright 1999-2010 The SquirrelMail Project Team + * @license http://opensource.org/licenses/gpl-license.php GNU Public License + * @version $Id: functions.php 13893 2010-01-25 02:47:41Z pdontthink $ + * @package plugins + * @subpackage mail_fetch + */ + +global $mail_fetch_allowable_ports, $mail_fetch_block_server_pattern; + + +// This is the list of POP3 ports the user may specify. +// +// Usually, this does not need to be used at all, and +// ports 110 and 995 will be the only available ports. +// +// If users are allowed to access POP3 that is served +// on a non-standard port, you'll need to add that port +// to this list and make sure this file is saved as +// "config.php" in the mail_fetch plugin directory +// +// If you do not wish to restrict the allowable port +// numbers at all, include "ALL" in this list. +// +$mail_fetch_allowable_ports = array(110, 995); + + + +// This is a pattern match that allows you to block +// access to certain server addresses. This prevents +// a user from attempting to try to specify certain +// servers when adding a POP3 address. +// +// By default, this plugin will block POP3 server +// addresses starting with "10.", "192.", "127." and +// "localhost" (the pattern shown below). +// +// If you want to block other addresses, you'll need +// to add them to this pattern and make sure that this +// file is saved as "config.php" in the mail_fetch +// plugin diretory +// +// If you do not wish to restrict the allowable server +// addresses at all, set this value to be "UNRESTRICTED" +// +// This is a full regular expression pattern +// +// Allow anything: +// +// $mail_fetch_block_server_pattern = 'UNRESTRICTED'; +// +// Default pattern: +// +$mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/'; + + diff -Naur squirrelmail-1.4.20/plugins/mail_fetch/functions.php squirrelmail-1.4.20.oden/plugins/mail_fetch/functions.php --- squirrelmail-1.4.20/plugins/mail_fetch/functions.php 2010-06-21 12:54:14.067982236 +0200 +++ squirrelmail-1.4.20.oden/plugins/mail_fetch/functions.php 2010-06-21 12:56:10.777982715 +0200 @@ -26,6 +26,72 @@ */ $mail_fetch_allow_unsubscribed = false; +/** + * Validate a requested POP3 port number + * + * Allowable port numbers are configured in config.php + * (see config_example.php for an example and more + * rules about how the list of allowable port numbers + * can be specified) + * + * @param int $requested_port The port number given by the user + * + * @return string An error string is returned if the port + * number is not allowable, otherwise an + * empty string is returned. + * + */ +function validate_mail_fetch_port_number($requested_port) { + global $mail_fetch_allowable_ports; + @include_once(SM_PATH . 'plugins/mail_fetch/config.php'); + if (empty($mail_fetch_allowable_ports)) + $mail_fetch_allowable_ports = array(110, 995); + + if (in_array('ALL', $mail_fetch_allowable_ports)) + return ''; + + if (!in_array($requested_port, $mail_fetch_allowable_ports)) { + sq_change_text_domain('mail_fetch'); + $error = _("Sorry, that port number is not allowed"); + sq_change_text_domain('squirrelmail'); + return $error; + } + + return ''; +} + +/** + * Validate a requested POP3 server address + * + * Blocked server addresses are configured in config.php + * (see config_example.php for more details) + * + * @param int $requested_address The server address given by the user + * + * @return string An error string is returned if the server + * address is not allowable, otherwise an + * empty string is returned. + * + */ +function validate_mail_fetch_server_address($requested_address) { + global $mail_fetch_block_server_pattern; + @include_once(SM_PATH . 'plugins/mail_fetch/config.php'); + if (empty($mail_fetch_block_server_pattern)) + $mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/'; + + if ($mail_fetch_block_server_pattern == 'UNRESTRICTED') + return ''; + + if (preg_match($mail_fetch_block_server_pattern, $requested_address)) { + sq_change_text_domain('mail_fetch'); + $error = _("Sorry, that server address is not allowed"); + sq_change_text_domain('squirrelmail'); + return $error; + } + + return ''; +} + function hex2bin( $data ) { /* Original code by josh@superfork.com */ diff -Naur squirrelmail-1.4.20/plugins/mail_fetch/options.php squirrelmail-1.4.20.oden/plugins/mail_fetch/options.php --- squirrelmail-1.4.20/plugins/mail_fetch/options.php 2010-06-21 12:54:14.067982236 +0200 +++ squirrelmail-1.4.20.oden/plugins/mail_fetch/options.php 2010-06-21 12:56:10.778982203 +0200 @@ -55,6 +55,8 @@ sqgetGlobalVar('mf_fref', $mf_fref, SQ_POST); sqgetGlobalVar('mf_lmos', $mf_lmos, SQ_POST); sqgetGlobalVar('submit_mailfetch', $submit_mailfetch, SQ_POST); +$mf_port = trim($mf_port); +$mf_server = trim($mf_server); /* end globals */ @@ -63,6 +65,19 @@ switch( $mf_action ) { case 'add': + + $mf_action = 'config'; + + // restrict port number if necessary + // + $message = validate_mail_fetch_port_number($mf_port); + if (!empty($message)) break; + + // restrict server address if necessary + // + $message = validate_mail_fetch_server_address($mf_server); + if (!empty($message)) break; + if ($mf_sn<1) $mf_sn=0; if (!isset($mf_server)) return; setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:"")); @@ -85,10 +100,28 @@ setPref($data_dir,$username,"mailfetch_subfolder_$mf_sn",(isset($mf_subfolder)?$mf_subfolder:"")); $mf_sn++; setPref($data_dir,$username,'mailfetch_server_number', $mf_sn); - $mf_action = 'config'; break; + + // modify a server + // case 'confirm_modify': - //modify a server + + // restrict port number if necessary + // + $message = validate_mail_fetch_port_number($mf_port); + if (!empty($message)) { + $mf_action = 'Modify'; + break; + } + + // restrict server address if necessary + // + $message = validate_mail_fetch_server_address($mf_server); + if (!empty($message)) { + $mf_action = 'Modify'; + break; + } + if (!isset($mf_server)) return; setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:"")); setPref($data_dir,$username,"mailfetch_port_$mf_sn", (isset($mf_port)?$mf_port:110)); @@ -199,6 +232,14 @@ ) , 'center', '', 'width="95%"' ); + // display error or other messages if necessary + // + if (!empty($message)) { + echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) . + html_tag( 'tr', + html_tag( 'td', '<b>' . $message . '</b>', 'center', $color[2] )); + } + switch( $mf_action ) { case 'config': echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) .