fix(backend): address potential security exploits in request parameters (#1514)

* use FILTER_SANITIZE_FULL_SPECIAL_CHARS for all get request parameters instead of FILTER_DEFAULT and fix duplicate post filters of the contact module

* for all other parameters, use FILTER_UNSAFE_RAW instead of FILTER_DEFAULT for better clarity

Author: mercihabam

modules/2fa/setup.php

@@ -23,7 +23,7 @@
         'ajax_2fa_setup_check',
     ),
     'allowed_post' => array(
-        '2fa_code' => FILTER_DEFAULT,
+        '2fa_code' => FILTER_UNSAFE_RAW,
         '2fa_enable' => FILTER_VALIDATE_INT,
         '2fa_backup_codes' => array('filter' => FILTER_VALIDATE_INT, 'flags'  => FILTER_FORCE_ARRAY)
     ),

modules/account/setup.php

@@ -31,13 +31,13 @@
         'change_password'
     ),
     'allowed_post' => array(
-        'create_username' => FILTER_DEFAULT,
+        'create_username' => FILTER_UNSAFE_RAW,
         'create_password' => FILTER_UNSAFE_RAW,
         'create_password_again' => FILTER_UNSAFE_RAW,
-        'delete_username' => FILTER_DEFAULT,
+        'delete_username' => FILTER_UNSAFE_RAW,
         'new_pass1' => FILTER_UNSAFE_RAW,
         'new_pass2' => FILTER_UNSAFE_RAW,
         'old_pass' => FILTER_UNSAFE_RAW,
-        'change_password' => FILTER_DEFAULT,
+        'change_password' => FILTER_UNSAFE_RAW,
     )
 );

modules/advanced_search/setup.php

@@ -31,14 +31,14 @@
         'ajax_adv_search'
     ),
     'allowed_post' => array(
-        'adv_source' => FILTER_DEFAULT,
-        'adv_start' => FILTER_DEFAULT,
+        'adv_source' => FILTER_UNSAFE_RAW,
+        'adv_start' => FILTER_UNSAFE_RAW,
         'adv_source_limit' => FILTER_VALIDATE_INT,
-        'adv_end' => FILTER_DEFAULT,
-        'adv_charset' => FILTER_DEFAULT,
-        'adv_flags' => array('filter' => FILTER_DEFAULT, 'flags' => FILTER_REQUIRE_ARRAY),
-        'adv_terms' => array('filter' => FILTER_DEFAULT, 'flags' => FILTER_REQUIRE_ARRAY),
-        'adv_targets' => array('filter' => FILTER_DEFAULT, 'flags' => FILTER_REQUIRE_ARRAY),
+        'adv_end' => FILTER_UNSAFE_RAW,
+        'adv_charset' => FILTER_UNSAFE_RAW,
+        'adv_flags' => array('filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_REQUIRE_ARRAY),
+        'adv_terms' => array('filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_REQUIRE_ARRAY),
+        'adv_targets' => array('filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_REQUIRE_ARRAY),
         'all_folders' => FILTER_VALIDATE_BOOLEAN,
         'all_special_folders' => FILTER_VALIDATE_BOOLEAN,
         'include_subfolders' => FILTER_VALIDATE_BOOLEAN,

modules/api_login/setup.php

@@ -13,8 +13,8 @@
 return array(
     'allowed_pages' => array('process_api_login'),
     'allowed_post' => array(
-        'hm_session' => FILTER_DEFAULT,
-        'hm_id' => FILTER_DEFAULT,
-        'api_login_key' => FILTER_DEFAULT
+        'hm_session' => FILTER_UNSAFE_RAW,
+        'hm_id' => FILTER_UNSAFE_RAW,
+        'api_login_key' => FILTER_UNSAFE_RAW
     )
 );

modules/calendar/setup.php

@@ -22,16 +22,16 @@
         'calendar',
     ),
     'allowed_post' => array(
-        'event_title' => FILTER_DEFAULT,
-        'event_detail' => FILTER_DEFAULT,
-        'event_date' => FILTER_DEFAULT,
-        'event_time' => FILTER_DEFAULT,
-        'event_repeat' => FILTER_DEFAULT,
-        'delete_id' => FILTER_DEFAULT
+        'event_title' => FILTER_UNSAFE_RAW,
+        'event_detail' => FILTER_UNSAFE_RAW,
+        'event_date' => FILTER_UNSAFE_RAW,
+        'event_time' => FILTER_UNSAFE_RAW,
+        'event_repeat' => FILTER_UNSAFE_RAW,
+        'delete_id' => FILTER_UNSAFE_RAW
     ),
     'allowed_get' => array(
-        'date' => FILTER_DEFAULT,
-        'view' => FILTER_DEFAULT,
-        'action' => FILTER_DEFAULT,
+        'date' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'view' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'action' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
     ),
 );

modules/carddav_contacts/setup.php

@@ -24,13 +24,13 @@
 
 return array(
     'allowed_post' => array(
-        'carddav_usernames' => array('filter' => FILTER_DEFAULT, 'flags'  => FILTER_FORCE_ARRAY),
+        'carddav_usernames' => array('filter' => FILTER_UNSAFE_RAW, 'flags'  => FILTER_FORCE_ARRAY),
         'carddav_passwords' => array('filter' => FILTER_UNSAFE_RAW, 'flags'  => FILTER_FORCE_ARRAY),
-        'carddav_email' => FILTER_DEFAULT,
-        'carddav_fn' => FILTER_DEFAULT,
-        'carddav_phone' => FILTER_DEFAULT,
-        'carddav_phone_id' => FILTER_DEFAULT,
-        'carddav_fn_id' => FILTER_DEFAULT,
-        'carddav_email_id' => FILTER_DEFAULT
+        'carddav_email' => FILTER_UNSAFE_RAW,
+        'carddav_fn' => FILTER_UNSAFE_RAW,
+        'carddav_phone' => FILTER_UNSAFE_RAW,
+        'carddav_phone_id' => FILTER_UNSAFE_RAW,
+        'carddav_fn_id' => FILTER_UNSAFE_RAW,
+        'carddav_email_id' => FILTER_UNSAFE_RAW
     )
 );

modules/contacts/setup.php

@@ -63,39 +63,30 @@
         'ajax_autocomplete_contact'
     ),
     'allowed_post' => array(
-        'contact_email' => FILTER_DEFAULT,
-        'contact_name' => FILTER_DEFAULT,
-        'contact_phone' => FILTER_DEFAULT,
-        'contact_id' => FILTER_DEFAULT,
-        'contact_value' => FILTER_DEFAULT,
-        'edit_contact' => FILTER_DEFAULT,
-        'add_contact' => FILTER_DEFAULT,
-        'contact_source' => FILTER_DEFAULT,
-        'contact_type' => FILTER_DEFAULT,
-        'import_contact' => FILTER_DEFAULT,
-        'contact_email' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
-        'contact_name' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
-        'contact_phone' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
-        'contact_group' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
-        'contact_value' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
-        'edit_contact' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
-        'add_contact' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
-        'contact_source' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
-        'contact_type' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'contact_email' => FILTER_SANITIZE_EMAIL,
+        'contact_name' => FILTER_UNSAFE_RAW,
+        'contact_phone' => FILTER_UNSAFE_RAW,
+        'contact_id' => FILTER_UNSAFE_RAW,
+        'contact_value' => FILTER_UNSAFE_RAW,
+        'edit_contact' => FILTER_UNSAFE_RAW,
+        'add_contact' => FILTER_UNSAFE_RAW,
+        'contact_source' => FILTER_UNSAFE_RAW,
+        'contact_type' => FILTER_UNSAFE_RAW,
+        'import_contact' => FILTER_UNSAFE_RAW,
         'contact_auto_collect' => FILTER_VALIDATE_BOOLEAN,
         'enable_warn_contacts_cc_not_exist_in_list_contact' => FILTER_VALIDATE_INT,
-        'email_address' => FILTER_SANITIZE_FULL_SPECIAL_CHARS
+        'email_address' => FILTER_SANITIZE_EMAIL
     ),
     'allowed_get' => array(
         'contact_id' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
         'contact_page' => FILTER_VALIDATE_INT,
-        'contact_type' => FILTER_DEFAULT,
-        'contact_source' => FILTER_DEFAULT,
-        'import_contact' => FILTER_DEFAULT,
+        'contact_type' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'contact_source' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'import_contact' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
     ),
     'allowed_output' => array(
         'contact_deleted' => array(FILTER_VALIDATE_INT, false),
-        'imported_contact' => array(FILTER_DEFAULT, FILTER_REQUIRE_ARRAY),
+        'imported_contact' => array(FILTER_SANITIZE_FULL_SPECIAL_CHARS, FILTER_REQUIRE_ARRAY),
         'contact_suggestions' => array(FILTER_SANITIZE_FULL_SPECIAL_CHARS, FILTER_REQUIRE_ARRAY),
         'collect_contacts' => array(FILTER_VALIDATE_BOOLEAN, false),
         'imap_allow_images' => array(FILTER_VALIDATE_BOOLEAN, false),

modules/core/setup.php

@@ -222,143 +222,143 @@
         'ajax_combined_message_list'
     ),
     'allowed_output' => array(
-        'date' => array(FILTER_DEFAULT, false),
+        'date' => array(FILTER_UNSAFE_RAW, false),
         'formatted_folder_list' => array(FILTER_UNSAFE_RAW, false),
-        'router_user_msgs' => array(FILTER_DEFAULT, FILTER_REQUIRE_ARRAY),
+        'router_user_msgs' => array(FILTER_UNSAFE_RAW, FILTER_REQUIRE_ARRAY),
         'router_login_state' => array(FILTER_VALIDATE_BOOLEAN, false),
         'formatted_message_list' => array(FILTER_UNSAFE_RAW, FILTER_REQUIRE_ARRAY),
         'just_saved_credentials' => array(FILTER_VALIDATE_BOOLEAN, false),
         'just_forgot_credentials' => array(FILTER_VALIDATE_BOOLEAN, false),
-        'deleted_server_id' => array(FILTER_DEFAULT, false),
+        'deleted_server_id' => array(FILTER_UNSAFE_RAW, false),
         'msg_headers' => array(FILTER_UNSAFE_RAW, false),
         'msg_text' => array(FILTER_UNSAFE_RAW, false),
         'msg_source' => array(FILTER_UNSAFE_RAW, false),
         'msg_parts' => array(FILTER_UNSAFE_RAW, false),
         'pages' => array(FILTER_VALIDATE_INT, false),
-        'folder_status' => array(FILTER_DEFAULT, FILTER_REQUIRE_ARRAY),
-        'imap_server_id' => array(FILTER_DEFAULT, false),
-        'imap_service_name' => array(FILTER_DEFAULT, false)
+        'folder_status' => array(FILTER_UNSAFE_RAW, FILTER_REQUIRE_ARRAY),
+        'imap_server_id' => array(FILTER_UNSAFE_RAW, false),
+        'imap_service_name' => array(FILTER_UNSAFE_RAW, false)
     ),
     'allowed_cookie' => array(
-        'CYPHTID' => FILTER_DEFAULT,
-        'hm_id' => FILTER_DEFAULT,
-        'hm_session' => FILTER_DEFAULT,
-        'hm_msgs'    => FILTER_DEFAULT,
+        'CYPHTID' => FILTER_UNSAFE_RAW,
+        'hm_id' => FILTER_UNSAFE_RAW,
+        'hm_session' => FILTER_UNSAFE_RAW,
+        'hm_msgs'    => FILTER_UNSAFE_RAW,
         'hm_reload_folders'    => FILTER_VALIDATE_INT
     ),
     'allowed_server' => array(
-        'REQUEST_URI' => FILTER_DEFAULT,
-        'REQUEST_METHOD' => FILTER_DEFAULT,
+        'REQUEST_URI' => FILTER_UNSAFE_RAW,
+        'REQUEST_METHOD' => FILTER_UNSAFE_RAW,
         'SERVER_ADDR' => FILTER_VALIDATE_IP,
         'REMOTE_ADDR' => FILTER_VALIDATE_IP,
         'SERVER_PORT' => FILTER_VALIDATE_INT,
-        'SERVER_PROTOCOL' => FILTER_DEFAULT,
-        'PHP_SELF' => FILTER_DEFAULT,
-        'REQUEST_SCHEME' => FILTER_DEFAULT,
-        'HTTP_HOST' => FILTER_DEFAULT,
+        'SERVER_PROTOCOL' => FILTER_UNSAFE_RAW,
+        'PHP_SELF' => FILTER_UNSAFE_RAW,
+        'REQUEST_SCHEME' => FILTER_UNSAFE_RAW,
+        'HTTP_HOST' => FILTER_UNSAFE_RAW,
         'HTTP_ORIGIN' => FILTER_VALIDATE_URL,
         'HTTP_REFERER' => FILTER_VALIDATE_URL,
-        'HTTP_ACCEPT_LANGUAGE' => FILTER_DEFAULT,
-        'HTTP_ACCEPT_ENCODING' => FILTER_DEFAULT,
-        'HTTP_ACCEPT_CHARSET' => FILTER_DEFAULT,
-        'HTTP_ACCEPT' => FILTER_DEFAULT,
-        'HTTP_USER_AGENT' => FILTER_DEFAULT,
-        'HTTPS' => FILTER_DEFAULT,
-        'SERVER_NAME' => FILTER_DEFAULT,
-        'HTTP_X_REQUESTED_WITH' => FILTER_DEFAULT,
-        'HTTP_X_FORWARDED_HOST' => FILTER_DEFAULT
+        'HTTP_ACCEPT_LANGUAGE' => FILTER_UNSAFE_RAW,
+        'HTTP_ACCEPT_ENCODING' => FILTER_UNSAFE_RAW,
+        'HTTP_ACCEPT_CHARSET' => FILTER_UNSAFE_RAW,
+        'HTTP_ACCEPT' => FILTER_UNSAFE_RAW,
+        'HTTP_USER_AGENT' => FILTER_UNSAFE_RAW,
+        'HTTPS' => FILTER_UNSAFE_RAW,
+        'SERVER_NAME' => FILTER_UNSAFE_RAW,
+        'HTTP_X_REQUESTED_WITH' => FILTER_UNSAFE_RAW,
+        'HTTP_X_FORWARDED_HOST' => FILTER_UNSAFE_RAW
     ),
 
     'allowed_get' => array(
-        'page' => FILTER_DEFAULT,
-        'msgs' => FILTER_DEFAULT,
-        'list_path' => FILTER_DEFAULT,
-        'list_parent' => FILTER_DEFAULT,
+        'page' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'msgs' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'list_path' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'list_parent' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
         'list_page' => FILTER_VALIDATE_INT,
-        'uid' => FILTER_DEFAULT,
+        'uid' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
         'search_terms' => FILTER_UNSAFE_RAW,
-        'search_since' => FILTER_DEFAULT,
-        'search_fld' => FILTER_DEFAULT,
-        'filter' => FILTER_DEFAULT,
-        'sort' => FILTER_DEFAULT,
-        'keyword' => FILTER_DEFAULT,
-        'screen_emails' => FILTER_DEFAULT,
+        'search_since' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'search_fld' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'filter' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'sort' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'keyword' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+        'screen_emails' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
     ),
 
     'allowed_post' => array(
-        'payload' => FILTER_DEFAULT,
-        'reset_factory' => FILTER_DEFAULT,
-        'hm_page_key' => FILTER_DEFAULT,
+        'payload' => FILTER_UNSAFE_RAW,
+        'reset_factory' => FILTER_UNSAFE_RAW,
+        'hm_page_key' => FILTER_UNSAFE_RAW,
         'logout' => FILTER_VALIDATE_BOOLEAN,
         'save_and_logout' => FILTER_VALIDATE_BOOLEAN,
         'limit' => FILTER_VALIDATE_INT,
-        'username' => FILTER_DEFAULT,
+        'username' => FILTER_UNSAFE_RAW,
         'show_list_icons' => FILTER_VALIDATE_BOOLEAN,
         'password' => FILTER_UNSAFE_RAW,
-        'hm_ajax_hook' => FILTER_DEFAULT,
-        'save_settings' => FILTER_DEFAULT,
-        'save_settings_permanently' => FILTER_DEFAULT,
-        'save_settings_permanently_then_logout' => FILTER_DEFAULT,
-        'language' => FILTER_DEFAULT,
+        'hm_ajax_hook' => FILTER_UNSAFE_RAW,
+        'save_settings' => FILTER_UNSAFE_RAW,
+        'save_settings_permanently' => FILTER_UNSAFE_RAW,
+        'save_settings_permanently_then_logout' => FILTER_UNSAFE_RAW,
+        'language' => FILTER_UNSAFE_RAW,
         'flagged_per_source' => FILTER_VALIDATE_INT,
-        'flagged_since' => FILTER_DEFAULT,
+        'flagged_since' => FILTER_UNSAFE_RAW,
         'unread_per_source' => FILTER_VALIDATE_INT,
-        'unread_since' => FILTER_DEFAULT,
+        'unread_since' => FILTER_UNSAFE_RAW,
         'all_email_per_source' => FILTER_VALIDATE_INT,
-        'all_email_since' => FILTER_DEFAULT,
+        'all_email_since' => FILTER_UNSAFE_RAW,
         'all_per_source' => FILTER_VALIDATE_INT,
-        'all_since' => FILTER_DEFAULT,
+        'all_since' => FILTER_UNSAFE_RAW,
         'no_folder_icons' => FILTER_VALIDATE_BOOLEAN,
         'mailto_handler' => FILTER_VALIDATE_BOOLEAN,
-        'list_style' => FILTER_DEFAULT,
-        'timezone' => FILTER_DEFAULT,
+        'list_style' => FILTER_UNSAFE_RAW,
+        'timezone' => FILTER_UNSAFE_RAW,
         'disable_delete_prompt' => FILTER_VALIDATE_INT,
         'allow_delete_attachment' => FILTER_VALIDATE_INT,
-        'section_state' => FILTER_DEFAULT,
-        'section_class' => FILTER_DEFAULT,
-        'message_ids' => FILTER_DEFAULT,
-        'action_type' => FILTER_DEFAULT,
-        'server_pw_id' => FILTER_DEFAULT,
-        'message_list_since' => FILTER_DEFAULT,
+        'section_state' => FILTER_UNSAFE_RAW,
+        'section_class' => FILTER_UNSAFE_RAW,
+        'message_ids' => FILTER_UNSAFE_RAW,
+        'action_type' => FILTER_UNSAFE_RAW,
+        'server_pw_id' => FILTER_UNSAFE_RAW,
+        'message_list_since' => FILTER_UNSAFE_RAW,
         'no_password_save' => FILTER_VALIDATE_BOOLEAN,
         'start_page' => FILTER_SANITIZE_URL,
-        'default_sort_order' => FILTER_DEFAULT,
+        'default_sort_order' => FILTER_UNSAFE_RAW,
         'stay_logged_in' => FILTER_VALIDATE_BOOLEAN,
         'junk_per_source' => FILTER_VALIDATE_INT,
-        'junk_since' => FILTER_DEFAULT,
+        'junk_since' => FILTER_UNSAFE_RAW,
         'snoozed_per_source' => FILTER_VALIDATE_INT,
-        'snoozed_since' => FILTER_DEFAULT,
+        'snoozed_since' => FILTER_UNSAFE_RAW,
         'trash_per_source' => FILTER_VALIDATE_INT,
-        'trash_since' => FILTER_DEFAULT,
-        'drafts_per_source' => FILTER_DEFAULT,
-        'drafts_since' => FILTER_DEFAULT,
+        'trash_since' => FILTER_UNSAFE_RAW,
+        'drafts_per_source' => FILTER_UNSAFE_RAW,
+        'drafts_since' => FILTER_UNSAFE_RAW,
         'warn_for_unsaved_changes' => FILTER_VALIDATE_BOOLEAN,
-        'srv_setup_stepper_imap_server_id'  => FILTER_DEFAULT,
-        'srv_setup_stepper_smtp_server_id' => FILTER_DEFAULT,
-        'srv_setup_stepper_profile_name'  => FILTER_DEFAULT,
-        'srv_setup_stepper_email' => FILTER_DEFAULT,
+        'srv_setup_stepper_imap_server_id'  => FILTER_UNSAFE_RAW,
+        'srv_setup_stepper_smtp_server_id' => FILTER_UNSAFE_RAW,
+        'srv_setup_stepper_profile_name'  => FILTER_UNSAFE_RAW,
+        'srv_setup_stepper_email' => FILTER_UNSAFE_RAW,
         'srv_setup_stepper_password' => FILTER_UNSAFE_RAW,
-        'srv_setup_stepper_provider' => FILTER_DEFAULT,
+        'srv_setup_stepper_provider' => FILTER_UNSAFE_RAW,
         'srv_setup_stepper_is_sender' => FILTER_VALIDATE_BOOLEAN,
         'srv_setup_stepper_is_receiver' => FILTER_VALIDATE_BOOLEAN,
-        'srv_setup_stepper_smtp_address' => FILTER_DEFAULT,
-        'srv_setup_stepper_smtp_port' => FILTER_DEFAULT,
+        'srv_setup_stepper_smtp_address' => FILTER_UNSAFE_RAW,
+        'srv_setup_stepper_smtp_port' => FILTER_UNSAFE_RAW,
         'srv_setup_stepper_smtp_tls' => FILTER_VALIDATE_BOOLEAN,
-        'srv_setup_stepper_imap_address' => FILTER_DEFAULT,
-        'srv_setup_stepper_imap_port' => FILTER_DEFAULT,
+        'srv_setup_stepper_imap_address' => FILTER_UNSAFE_RAW,
+        'srv_setup_stepper_imap_port' => FILTER_UNSAFE_RAW,
         'srv_setup_stepper_imap_tls' => FILTER_VALIDATE_BOOLEAN,
         'srv_setup_stepper_enable_sieve' => FILTER_VALIDATE_BOOLEAN,
         'srv_setup_stepper_create_profile' => FILTER_VALIDATE_BOOLEAN,
         'srv_setup_stepper_profile_is_default' => FILTER_VALIDATE_BOOLEAN,
-        'srv_setup_stepper_profile_signature' => FILTER_DEFAULT,
-        'srv_setup_stepper_profile_reply_to' => FILTER_DEFAULT,
-        'srv_setup_stepper_imap_sieve_host' => FILTER_DEFAULT,
+        'srv_setup_stepper_profile_signature' => FILTER_UNSAFE_RAW,
+        'srv_setup_stepper_profile_reply_to' => FILTER_UNSAFE_RAW,
+        'srv_setup_stepper_imap_sieve_host' => FILTER_UNSAFE_RAW,
         'srv_setup_stepper_imap_sieve_mode_tls' => FILTER_VALIDATE_BOOLEAN,
         'srv_setup_stepper_only_jmap' => FILTER_VALIDATE_BOOLEAN,
         'srv_setup_stepper_jmap_hide_from_c_page' => FILTER_VALIDATE_BOOLEAN,
-        'srv_setup_stepper_jmap_address' => FILTER_DEFAULT,
+        'srv_setup_stepper_jmap_address' => FILTER_UNSAFE_RAW,
         'srv_setup_stepper_imap_hide_from_c_page' => FILTER_VALIDATE_BOOLEAN,
-        'images_whitelist' => FILTER_DEFAULT,
+        'images_whitelist' => FILTER_UNSAFE_RAW,
         'update' => FILTER_VALIDATE_BOOLEAN,
         'enable_child_processes' => FILTER_VALIDATE_BOOLEAN,
     )

modules/dynamic_login/setup.php

@@ -13,5 +13,5 @@
     'allowed_cookie' => array(),
     'allowed_server' => array(),
     'allowed_get' => array(),
-    'allowed_post' => array('email_provider' => FILTER_DEFAULT)
+    'allowed_post' => array('email_provider' => FILTER_UNSAFE_RAW)
 );