freescout-help-desk
diff --git a/‎app/Attachment.php‎
Lines changed: 1 addition & 2 deletions b/‎app/Attachment.php‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎app/Console/Commands/FetchEmails.php‎
Lines changed: 1 addition & 1 deletion b/‎app/Console/Commands/FetchEmails.php‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/Http/Controllers/CustomersController.php‎
Lines changed: 2 additions & 0 deletions b/‎app/Http/Controllers/CustomersController.php‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎app/Http/Controllers/OpenController.php‎
Lines changed: 20 additions & 1 deletion b/‎app/Http/Controllers/OpenController.php‎
Lines changed: 20 additions & 1 deletion
diff --git a/‎app/Mailbox.php‎
Lines changed: 33 additions & 1 deletion b/‎app/Mailbox.php‎
Lines changed: 33 additions & 1 deletion
diff --git a/‎app/Misc/Helper.php‎
Lines changed: 129 additions & 11 deletions b/‎app/Misc/Helper.php‎
Lines changed: 129 additions & 11 deletions
diff --git a/‎app/Misc/Mail.php‎
Lines changed: 2 additions & 2 deletions b/‎app/Misc/Mail.php‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/Module.php‎
Lines changed: 24 additions & 0 deletions b/‎app/Module.php‎
Lines changed: 24 additions & 0 deletions
@@ -278,9 +278,8 @@ public function getToken()
     /**
      * Outputs the current Attachment as download
      */
-    public function download($view = false)
+    public function download($view = false, $headers = [])
     {
-        $headers = [];
         // #533
         //return $this->getDisk()->download($this->getStorageFilePath(), \Str::ascii($this->file_name));
         if ($view) {
 
@@ -713,7 +713,7 @@ public function processMessage($message, $message_id, $mailbox, $mailboxes, $ext
 
             // Convert subject encoding
             if (preg_match('/=\?[a-z\d-]+\?[BQ]\?.*\?=/i', $subject)) {
-                $subject = iconv_mime_decode($subject, ICONV_MIME_DECODE_CONTINUE_ON_ERROR, 'UTF-8');
+                $subject = \Helper::iconvMimeDecode($subject);
             }
 
             $to = $this->formatEmailList($message->getTo());
 
@@ -264,6 +264,8 @@ public function conversations($id)
     {
         $customer = Customer::findOrFail($id);
 
+        $this->checkLimitVisibility($customer);
+
         $query = $customer->conversations()
             ->where('customer_id', $customer->id)
             ->whereIn('mailbox_id', auth()->user()->mailboxesIdsCanView())
 
@@ -189,11 +189,22 @@ public function downloadAttachment($dir_1, $dir_2, $dir_3, $file_name, Request $
                     break;
                 }
             }
+            if ($allowed_mime_type) {
+                foreach (config('app.non_viewable_mime_types') as $mime_type) {
+                    if (preg_match('#'.$mime_type.'#', $attachment->mime_type)) {
+                        $allowed_mime_type = false;
+                        break;
+                    }
+                }
+            }
             if (!$allowed_mime_type) {
                 $view_attachment = false;
             }
         }
 
+        // CSP header for exatra security.
+        $csp_header_value = "script-src 'none'; frame-src 'none'; object-src 'none'; font-src 'none'; connect-src 'none'; media-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'none'; sandbox";
+
         if (config('app.download_attachments_via') == 'apache') {
             // Send using Apache mod_xsendfile.
             $response = response(null)
@@ -202,6 +213,8 @@ public function downloadAttachment($dir_1, $dir_2, $dir_3, $file_name, Request $
 
             if (!$view_attachment) {
                 $response->header('Content-Disposition', 'attachment; filename="'.$attachment->file_name.'"');
+            } else {
+                $response->header('Content-Security-Policy', $csp_header_value);
             }
         } elseif (config('app.download_attachments_via') == 'nginx') {
             // Send using Nginx.
@@ -211,9 +224,15 @@ public function downloadAttachment($dir_1, $dir_2, $dir_3, $file_name, Request $
 
             if (!$view_attachment) {
                 $response->header('Content-Disposition', 'attachment; filename="'.$attachment->file_name.'"');
+            } else {
+                $response->header('Content-Security-Policy', $csp_header_value);
             }
         } else {
-            $response = $attachment->download($view_attachment);
+            $headers = [];
+            if ($view_attachment) {
+                $headers['Content-Security-Policy'] = $csp_header_value;
+            }
+            $response = $attachment->download($view_attachment, $headers);
         }
 
         return $response;
 
@@ -670,6 +670,22 @@ public static function getInProtocols()
         return \Eventy::filter('mailbox.in_protocols', self::$in_protocols);
     }
 
+    /**
+     * Determines if Fetching settings for the mailbox have been saved by admin.
+     */
+    public function inSettingsSaved()
+    {
+        return ($this->attributes['in_password'] !== null);
+    }
+
+    /**
+     * Determines if Sending settings for the mailbox have been saved by admin.
+     */
+    public function outSettingsSaved()
+    {
+        return ($this->attributes['out_password'] !== null);
+    }
+
     /**
      * Get pivot table parameters for the user.
      */
@@ -932,6 +948,15 @@ public function setMeta($key, $value)
 
     public function setMetaParam($param, $value, $save = false)
     {
+        // Encrypt some values.
+        if ($param == 'oauth' && is_array($value)) {
+            if (!empty($value['a_token'])) {
+                $value['a_token'] = \Helper::encrypt($value['a_token']);
+            }
+            if (!empty($value['r_token'])) {
+                $value['r_token'] = \Helper::encrypt($value['r_token']);
+            }
+        }
         $meta = $this->meta;
         $meta[$param] = $value;
         $this->meta = $meta;
@@ -976,7 +1001,14 @@ public function oauthEnabled()
 
     public function oauthGetParam($param)
     {
-        return $this->meta['oauth'][$param] ?? '';
+        $value = $this->meta['oauth'][$param] ?? '';
+
+        // Decrypt some values.
+        if (in_array($param, ['a_token', 'r_token'])) {
+            $value = \Helper::decrypt($value);
+        }
+
+        return $value;
     }
 
     public function inOauthEnabled()
 
@@ -1629,6 +1629,10 @@ public static function sanitizeUploadedFileData($file_path, $storage, $content =
                 $content = $storage->get($file_path);
             }
             if ($content) {
+                // Remove comments from SVG content.
+                // https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-cvr8-cw5c-5pfw
+                $content = preg_replace('/<!--(.|\s)*?-->/', '', $content);
+
                 $svg_sanitizer = new \enshrined\svgSanitize\Sanitizer();
                 $clean_content = $svg_sanitizer->sanitize($content);
                 if (!$clean_content)  {
@@ -1755,6 +1759,10 @@ public static function disableSqlRequirePrimaryKey()
     public static function downloadRemoteFileAsTmp($uri, $follow_redirects = true)
     {
         try {
+            // Sanitize URL first.
+            if (!self::sanitizeRemoteUrl($uri)) {
+                throw new \Exception('URL points to the local host', 1);
+            }
             $contents = self::getRemoteFileContents($uri, $follow_redirects);
 
             if (!$contents) {
@@ -1797,6 +1805,7 @@ public static function getRemoteFileContents($url, $follow_redirects = true)
             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
             if ($follow_redirects) {
                 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+                curl_setopt($ch, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
             }
             curl_setopt($ch, CURLOPT_URL, $url);
             \Helper::setCurlDefaultOptions($ch);
@@ -1832,7 +1841,27 @@ public static function getRemoteFileContents($url, $follow_redirects = true)
         }
     }
 
-    public static function sanitizeRemoteUrl($url, $throw_exception = false)
+    public static function sanitizeRemoteUrl($url, $throw_exception = false, $follow_redirects = true)
+    {
+        if (!self::checkUrlIpAndHost($url, $throw_exception)) {
+            return '';
+        }
+
+        // Follow redirects and check final IP/host.
+        if ($follow_redirects) {
+            $last_redirected_url = self::curlGetLastRedirectedUrl($url);
+
+            if ($last_redirected_url != $url) {
+                if (!self::checkUrlIpAndHost($url, $throw_exception)) {
+                    return '';
+                }
+            }
+        }
+
+        return $url;
+    }
+
+    public static function checkUrlIpAndHost($url, $throw_exception = false)
     {
         $parts = parse_url($url ?? '');
 
@@ -1854,7 +1883,15 @@ public static function sanitizeRemoteUrl($url, $throw_exception = false)
         $hostname = gethostname();
         $host_ip = gethostbyname($hostname);
 
+        // Can also include IP masks.
         $restricted_hosts = [
+            '::1', // IPv6 loopback
+            '::ffff:127.0.0.1', // IPv4-mapped IPv6
+            '169.254.169.254', // AWS/GCP/Azure metadata
+            'fd00::/8', // IPv6 ULA
+            '10.0.0.0/8', // RFC1918
+            '172.16.0.0/12', // RFC1918
+            'fd00::/8', // RFC1918
             '0.0.0.0',
             '127.0.0.1',
             'localhost',
@@ -1865,29 +1902,81 @@ public static function sanitizeRemoteUrl($url, $throw_exception = false)
             $_SERVER['LOCAL_ADDR'] ?? '',
         ];
 
-        if (in_array($parts['host'], $restricted_hosts) && !in_array($parts['host'], $host_white_list)) {
-            if ($throw_exception) {
-                throw new \Exception(__('Domain or IP address is not allowed: :%host%. Whitelist it via APP_REMOTE_HOST_WHITE_LIST .env parameter.', ['%host%' => $parts['host']]), 1);
-            } else {
-                return '';
+        if (!in_array($parts['host'], $host_white_list)) {
+            if (in_array($parts['host'], $restricted_hosts) || self::checkIpByMask($parts['host'], $restricted_hosts)) {
+                if ($throw_exception) {
+                    throw new \Exception(__('Domain or IP address is not allowed: :%host%. Whitelist it via APP_REMOTE_HOST_WHITE_LIST .env parameter.', ['%host%' => $parts['host']]), 1);
+                } else {
+                    return '';
+                }
             }
         }
 
         // Sanitize host IP address.
         $remote_host_ip = gethostbyname($parts['host']);
-        if (in_array($remote_host_ip, ['0.0.0.0', '127.0.0.1', $host_ip, $_SERVER['SERVER_ADDR'] ?? '', $_SERVER['LOCAL_ADDR'] ?? ''])
-            && !in_array($remote_host_ip, $host_white_list)
-        ) {
+        if (!in_array($remote_host_ip, $host_white_list)) {
+            if (in_array($remote_host_ip, $restricted_hosts) || self::checkIpByMask($remote_host_ip, $restricted_hosts)) {
+                if ($throw_exception) {
+                    throw new \Exception(__('Domain or IP address is not allowed: :%host%. Whitelist it via APP_REMOTE_HOST_WHITE_LIST .env parameter.', ['%host%' => $remote_host_ip]), 1);
+                } else {
+                    return '';
+                }
+            }
+        }
+
+        return $url;
+    }
+
+    // Get last redicred URL.
+    public static function curlGetLastRedirectedUrl($url, $throw_exception = false)
+    {
+        $ch = curl_init();
+
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+        curl_setopt($ch, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
+
+        curl_setopt($ch, CURLOPT_URL, $url);
+        // Get last effective URL.
+        
+        \Helper::setCurlDefaultOptions($ch);
+        curl_setopt($ch, CURLOPT_TIMEOUT, 180);
+        curl_exec($ch);
+
+        $curl_errno = curl_errno($ch);
+
+        if ($curl_errno) {
             if ($throw_exception) {
-                throw new \Exception(__('Domain or IP address is not allowed: :%host%. Whitelist it via APP_REMOTE_HOST_WHITE_LIST .env parameter.', ['%host%' => $remote_host_ip]), 1);
+                throw new \Exception('Could not check URL contents by following redirects: '.$curl_errno, 1);
             } else {
                 return '';
             }
         }
 
-        return $url;
+        $last_redirected_url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
+        if (PHP_VERSION_ID < 80000) {
+            \curl_close($ch);
+        }
+
+        return $last_redirected_url;
     }
 
+    // Returns mask or false.
+    public static function checkIpByMask($ip, $masks = [])
+    {
+        if (!strstr($ip, '/')) {
+            return false;
+        }
+        foreach ($masks as $mask) {
+            if (!strstr($mask, '/')) {
+                continue;
+            }
+            if (\Symfony\Component\HttpFoundation\IpUtils::checkIp($ip, $mask)) {
+                return $mask;
+            }
+        }
+        return false;
+    }
     public static function getTempDir()
     {
         return sys_get_temp_dir() ?: '/tmp';
@@ -2195,6 +2284,23 @@ public static function isConsole()
         return app()->runningInConsole();
     }
 
+    public static function isCron()
+    {
+        if (!self::isConsole()) {
+            return false;
+        }
+        if (php_sapi_name() == 'cli') {   
+            if (isset($_SERVER['TERM'])) {   
+                return false;
+            } else {   
+                return true;
+            }   
+        } else { 
+            // The script was run from a webserver, or something else.
+            return false;
+        }
+    }
+
     /**
      * Show a warning when background jobs sending emails
      * are not processed for some time.
@@ -2417,4 +2523,16 @@ public static function startsiWith($text, $string)
     {
         return (stripos($text, $string) === 0);
     }
+
+    // The iconv_mime_decode() may throw an error even with ICONV_MIME_DECODE_CONTINUE_ON_ERROR.
+    // https://github.com/freescout-help-desk/freescout/issues/5265
+    public static function iconvMimeDecode($string, $mode = ICONV_MIME_DECODE_CONTINUE_ON_ERROR, $encoding = "UTF-8")
+    {
+        try {
+            return iconv_mime_decode($string, $mode, $encoding);
+        } catch (\Exception $e) {
+            self::logException($e);
+            return $string;
+        }
+    }
 }
@@ -738,7 +738,7 @@ public static function imapUtf8($mime_encoded_text)
         if (function_exists('imap_utf8')) {
             return imap_utf8($mime_encoded_text);
         } else {
-            return iconv_mime_decode($mime_encoded_text, ICONV_MIME_DECODE_CONTINUE_ON_ERROR, "UTF-8");
+            return \Helper::iconvMimeDecode($mime_encoded_text);
         }
     }
 
@@ -1288,7 +1288,7 @@ public static function decodeSubject($subject)
 
         // iconv_mime_decode() can't decode:
         // =?iso-2022-jp?B?IBskQiFaSEcyPDpuQC4wTU1qIVs3Mkp2JSIlLyU3JSItahsoQg==?=
-        $subject_decoded = iconv_mime_decode($subject, ICONV_MIME_DECODE_CONTINUE_ON_ERROR, "UTF-8");
+        $subject_decoded = \Helper::iconvMimeDecode($subject);
 
         // Sometimes iconv_mime_decode() can't decode some parts of the subject:
         // =?iso-2022-jp?B?IBskQiFaSEcyPDpuQC4wTU1qIVs3Mkp2JSIlLyU3JSItahsoQg==?=
 
@@ -134,6 +134,30 @@ public static function setLicense($alias, $license)
         $module->save();
     }
 
+    /**
+     * Automatically encrypt license key.
+     */
+    public function setLicenseAttribute($value)
+    {
+        if ($value != '') {
+            $this->attributes['license'] = \Helper::encrypt($value);
+        } else {
+            $this->attributes['license'] = '';
+        }
+    }
+
+    /**
+     * Automatically decrypt license key.
+     */
+    public function getLicenseAttribute($value)
+    {
+        if (!$value) {
+            return '';
+        }
+
+        return \Helper::decrypt($value);
+    }
+
     public static function normalizeAlias($alias)
     {
         return trim(strtolower($alias));
Original file line number	Diff line number	Diff line change
`@@ -713,7 +713,7 @@ public function processMessage($message, $message_id, $mailbox, $mailboxes, $ext`
`713`	`713`
`714`	`714`	`// Convert subject encoding`
`715`	`715`	`if (preg_match('/=\?[a-z\d-]+\?[BQ]\?.*\?=/i', $subject)) {`
`716`		`- $subject = iconv_mime_decode($subject, ICONV_MIME_DECODE_CONTINUE_ON_ERROR, 'UTF-8');`
	`716`	`+ $subject = \Helper::iconvMimeDecode($subject);`
`717`	`717`	`}`
`718`	`718`
`719`	`719`	`$to = $this->formatEmailList($message->getTo());`
Original file line number	Diff line number	Diff line change
`@@ -264,6 +264,8 @@ public function conversations($id)`
`264`	`264`	`{`
`265`	`265`	`$customer = Customer::findOrFail($id);`
`266`	`266`
	`267`	`+ $this->checkLimitVisibility($customer);`
	`268`	`+`
`267`	`269`	`$query = $customer->conversations()`
`268`	`270`	`->where('customer_id', $customer->id)`
`269`	`271`	`->whereIn('mailbox_id', auth()->user()->mailboxesIdsCanView())`
Original file line number	Diff line number	Diff line change
`@@ -738,7 +738,7 @@ public static function imapUtf8($mime_encoded_text)`
`738`	`738`	`if (function_exists('imap_utf8')) {`
`739`	`739`	`return imap_utf8($mime_encoded_text);`
`740`	`740`	`} else {`
`741`		`- return iconv_mime_decode($mime_encoded_text, ICONV_MIME_DECODE_CONTINUE_ON_ERROR, "UTF-8");`
	`741`	`+ return \Helper::iconvMimeDecode($mime_encoded_text);`
`742`	`742`	`}`
`743`	`743`	`}`
`744`	`744`
`@@ -1288,7 +1288,7 @@ public static function decodeSubject($subject)`
`1288`	`1288`
`1289`	`1289`	`// iconv_mime_decode() can't decode:`
`1290`	`1290`	`// =?iso-2022-jp?B?IBskQiFaSEcyPDpuQC4wTU1qIVs3Mkp2JSIlLyU3JSItahsoQg==?=`
`1291`		`- $subject_decoded = iconv_mime_decode($subject, ICONV_MIME_DECODE_CONTINUE_ON_ERROR, "UTF-8");`
	`1291`	`+ $subject_decoded = \Helper::iconvMimeDecode($subject);`
`1292`	`1292`
`1293`	`1293`	`// Sometimes iconv_mime_decode() can't decode some parts of the subject:`
`1294`	`1294`	`// =?iso-2022-jp?B?IBskQiFaSEcyPDpuQC4wTU1qIVs3Mkp2JSIlLyU3JSItahsoQg==?=`