]> git.datanom.net - qtadmin.git/blobdiff - quarantine.php
Enhance security
[qtadmin.git] / quarantine.php
index 3a7570146494d5e7ae7731a790e4dcbfda593bf5..788f78ae4499a8e85ecdc41652ed02ecb36f20a6 100644 (file)
@@ -5,7 +5,7 @@
     require_once $CFG->root . 'lib/utils.inc.php';
 
     function error($error) {
-        $util = Utils::getInstance();
+        $util = new Utils;
         $util->setHeading("Error");
         echo $util->getHeader();
         echo $util->getHeading();
     }
 
     function handleRequest($request, $ids) {
+        global $CFG;
+
         $query = array();
         foreach ($ids as $id) {
             $mail_id = urldecode($id);
             $mail = unserialize($_SESSION['mailInfo']["$mail_id"]);
-            $secret_id = $mail->secret_id;
-            $recipient = $mail->recipient;
-            //echo "$mail_id $secret_id $recipient";
 
-            if ($request == 'release') {
-                $amavisserver = $CFG->amavisd_db_host;
-                $policy_port = $CFG->amavis_policy_port;
+            if (is_object($mail) && true == $util->authorized($mail->recipient)) {
+                $secret_id = $mail->secret_id;
+                $recipient = $mail->recipient;
 
-                $fp = fsockopen($amavisserver, $policy_port, $errno, $errstr, 30);
-                if (!$fp) {
-                    error("$errstr ($errno)");
-                    exit;
-                }
-                $out = "request=" . $request . "\r\n";
-                $out .= "mail_id=" . $mail_id . "\r\n";
-                $out .= "recipient=" . $recipient . "\r\n";
-                $out .= "secret_id=" . $secret_id . "\r\n\r\n";
-                fwrite($fp, $out);
-                $response = fread($fp, 8192);
-                fclose($fp);
-                $response = urldecode($response);
-                if (! preg_match("/^setreply=250\s+([\d\.]+)\s+(.*)/", $response, $matches)) {
-                    error("Request to release failed [$out][$response]");
-                    exit;
-                }
-                if ($matches[1] != '2.0.0') {
-                    error($matches[2]);
+                if ($request == 'release') {
+                    $amavisserver = $CFG->amavisd_db_host;
+                    $policy_port = $CFG->amavis_policy_port;
+
+                    $fp = fsockopen($amavisserver, $policy_port, $errno, $errstr, 30);
+                    if (!$fp) {
+                        error("$errstr ($errno)");
+                        exit;
+                    }
+                    $out = "request=" . $request . "\r\n";
+                    $out .= "mail_id=" . $mail_id . "\r\n";
+                    $out .= "recipient=" . $recipient . "\r\n";
+                    $out .= "secret_id=" . $secret_id . "\r\n\r\n";
+                    fwrite($fp, $out);
+                    $response = fread($fp, 8192);
+                    fclose($fp);
+                    $response = urldecode($response);
+                    if (! preg_match("/^setreply=250\s+([\d\.]+)\s+(.*)/", $response, $matches)) {
+                        error("Request to release failed [$out][$response]");
+                        exit;
+                    }
+                    if ($matches[1] != '2.0.0') {
+                        error($matches[2]);
+                        exit;
+                    }
+
+                    $query[] = "UPDATE msgrcpt SET rs = 'R' WHERE mail_id = '$mail_id'";
+                } else if ($request == 'delete') {
+                    $query[] = "UPDATE msgrcpt SET rs = 'D' WHERE mail_id = '$mail_id'";
+                } else {
+                    error("Unknown operation [$request]");
                     exit;
                 }
-
-                $query[] = "UPDATE msgrcpt SET rs = 'R' WHERE mail_id = '$mail_id'";
-            } else if ($request == 'delete') {
-                $query[] = "UPDATE msgrcpt SET rs = 'D' WHERE mail_id = '$mail_id'";
-            } else {
-                error("Unknown operation [$request]");
-                exit;
             }
         }
 
         return $query;
     }
 
-    $util = Utils::getInstance();
+    $util = new Utils;
     $loggedIn = $util->isLoggedIn();
     $request = isset($_GET['op']) ? $_GET['op'] : '';
     if ($loggedIn && isset($_GET['id'])) {
         $ids = explode(',', $_GET['id']);
         $query = handleRequest($request, $ids);
-/*        exit;
-        $mail_id = urldecode($_GET['id']);
-        $mail = unserialize($_SESSION['mailInfo']["$mail_id"]);
-        $secret_id = $mail->secret_id;
-        $recipient = $mail->recipient;
-
-        $query = array();
-        if ($request == 'release') {
-            $amavisserver = $CFG->amavisd_db_host;
-            $policy_port = $CFG->amavis_policy_port;
-
-            $fp = fsockopen($amavisserver, $policy_port, $errno, $errstr, 30);
-            if (!$fp) {
-                error("$errstr ($errno)");
-                exit;
-            }
-            $out = "request=" . $request . "\r\n";
-            $out .= "mail_id=" . $mail_id . "\r\n";
-            $out .= "recipient=" . $recipient . "\r\n";
-            $out .= "secret_id=" . $secret_id . "\r\n\r\n";
-            fwrite($fp, $out);
-            $response = fread($fp, 8192);
-            fclose($fp);
-            $response = urldecode($response);
-            if (! preg_match("/^setreply=250\s+([\d\.]+)\s+(.*)/", $response, $matches)) {
-                error("Request to release failed [$out][$response]");
-                exit;
-            }
-            if ($matches[1] != '2.0.0') {
-                error($matches[2]);
-                exit;
-            }
-
-            $query[] = "UPDATE msgrcpt SET rs = 'R' WHERE mail_id = '$mail_id'";
-        } else if ($request == 'delete') {
-            $query[] = "UPDATE msgrcpt SET rs = 'D' WHERE mail_id = '$mail_id'";
-        } else {
-            error("Unknown operation [$request]");
-            exit;
-        }*/
-        print_r($query);
-        exit;
         $success = $DB->update($query);
         if (! $success) {
             error("Message not released, contact administrator [$query]");
         $query = array();
         $error = array();
         foreach ($marked as $mail_id) {
-            $query[] = "delete from msgs where mail_id = '$mail_id'";
-            $query[] = "delete from msgrcpt where mail_id = '$mail_id'";
-            $query[] = "delete from quarantine where mail_id = '$mail_id'";
-            $success = $DB->update($query);
-            if (! $success) {
-                $error[] = $mail_id;
+            $mail = $DB->getMail($mail_id);
+            if (is_object($mail) && true == $util->authorized($mail->recipient)) {
+                $query[] = "delete from msgs where mail_id = '$mail_id'";
+                $query[] = "delete from msgrcpt where mail_id = '$mail_id'";
+                $query[] = "delete from quarantine where mail_id = '$mail_id'";
+                $success = $DB->update($query);
+                if (! $success) {
+                    $error[] = $mail_id;
+                }
             }
         }
         if (count($error) > 0) {
This page took 0.034542 seconds and 5 git commands to generate.