Merge branch 'release/1.2.3'

CHANGELOG.md

@@ -1,3 +1,40 @@
+1.2.3
+-----------
+Improvements
+- Better compatibility for MySQL 5.7 (ONLY_FULL_GROUP_BY)
+- Disable broken VIRUS_INFO per default
+- Better handling of Postfix message ids
+- Allow plus sign in username
+- Add ability to send quarantine report to single user
+- Enable users to immediately send his own quarantine report
+- Add ability for users to select the language of the gui
+- Converted some graph to Chart.js
+- Warn about installing PHP XML extension where not present
+- Add option to specify HELO hostname for SMTP transactions
+- Improved Sendmail queue code 
+- Allow blacklisting and whitelisting an entire TLD
+- Use domain admin username as domain filter
+- Database driven session enhancements
+- Add per user session timeout
+- Provides visual display of release and learned messages
+- Enhanced detail page printing
+- Enhanced upgrade.php
+- Localization updates
+- Code refactoring to clean up duplication and code smell
+
+Fixes
+- Ignores MailScanner config files (conf.d/*) in subfolders and hidden files
+- Options in messages operations do not select all the lines when clicking S/H/F/R
+- Fix issue where Mail Queue on status page displayed intermittently
+- Fix sa-learning in languages containing special chars in submit text (e.g. German)
+- Fix session conflict and multitab surfing
+- Fix broken html with certain virus names
+- Fix duplication of default rule in msre_edit.php
+- Fix errors with /etc/cron.daily/mailwatch scripts
+- Create.sql can be run on MySQL <= 5.5 again
+- Fix &amp; encoding in links
+- Fix SA-Learn blocking apache server
+
 1.2.2
 -----------
 Fixes

MailScanner_perl_scripts/SQLBlackWhiteList.pm

@@ -206,12 +206,11 @@ sub LookupList {
     my ($from, $fromdomain, @todomain, $todomain, @to, $to, $ip, $ip1, $ip1c, $ip2, $ip2c, $ip3, $ip3c, $subdom, $i, @keys, @subdomains);
     $from = $message->{from};
     $fromdomain = $message->{fromdomain};
-    # Create a array of subdomains for subdomain wildcard matching
-    #   e.g. me@this.that.example.com generates subdomain list of ('that.example.com', 'example.com')
-    #   wildcards of *.com, *.uk, *.gov, etc will never be matched for safety's sake (though *.gov.uk could be)
+    # Create a array of subdomains for subdomain and tld wildcard matching
+    #   e.g. me@this.that.example.com generates subdomain/tld list of ('that.example.com', 'example.com', 'com')
     $subdom = $fromdomain;
     @subdomains = ();
-    while ($subdom =~ /.*?\.(.*\..*)/) {
+    while ($subdom =~ /.*?\.(.*)/) {
         $subdom = $1;
         push (@subdomains, "*.".$subdom);
     }

create.sql

@@ -126,6 +126,8 @@ CREATE TABLE IF NOT EXISTS `maillog` (
   `quarantined` tinyint(1) DEFAULT '0',
   `rblspamreport` mediumtext COLLATE utf8_unicode_ci DEFAULT NULL,
   `token` CHAR(64) COLLATE utf8_unicode_ci DEFAULT NULL,
+  `released` tinyint(1) DEFAULT '0',
+  `salearn` tinyint(1) DEFAULT '0',
   PRIMARY KEY (`maillog_id`),
   KEY `maillog_datetime_idx` (`date`,`time`),
   KEY `maillog_id_idx` (`id`(20)),
@@ -136,8 +138,8 @@ CREATE TABLE IF NOT EXISTS `maillog` (
   KEY `from_domain_idx` (`from_domain`(50)),
   KEY `to_domain_idx` (`to_domain`(50)),
   KEY `maillog_quarantined` (`quarantined`),
-  KEY `timestamp_idx` (`timestamp`),
-  FULLTEXT KEY `subject_idx` (`subject`)
+  KEY `timestamp_idx` (`timestamp`)
+  /*!50604 , FULLTEXT KEY `subject_idx` (`subject`) */
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
 
 -- --------------------------------------------------------
@@ -260,6 +262,9 @@ CREATE TABLE IF NOT EXISTS `users` (
   `resetid` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
   `resetexpire` bigint(20) COLLATE utf8_unicode_ci DEFAULT NULL,
   `lastreset` bigint(20) COLLATE utf8_unicode_ci DEFAULT NULL,
+  `login_expiry` bigint(20) COLLATE utf8_unicode_ci DEFAULT '-1',
+  `last_login` bigint(20) COLLATE utf8_unicode_ci DEFAULT '-1',
+  `login_timeout` smallint(5) COLLATE utf8_unicode_ci DEFAULT '-1',
   PRIMARY KEY (`username`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
 

mailscanner/auto-release.php

@@ -32,13 +32,17 @@
 require_once __DIR__ . '/functions.php';
 if (file_exists('conf.php')) {
     $output = array();
-    if (isset($_GET['mid'], $_GET['r'])) {
+    if (isset($_GET['mid']) && (isset($_GET['r']) || isset($_GET['amp;r']))) {
         dbconn();
         $mid = deepSanitizeInput($_GET['mid'], 'url');
         if ($mid === false || !validateInput($mid, 'msgid')) {
             die();
         }
-        $token = deepSanitizeInput($_GET['r'], 'url');
+        if (isset($_GET['amp;r'])) {
+            $token = deepSanitizeInput($_GET['amp;r'], 'url');
+        } else {
+            $token = deepSanitizeInput($_GET['r'], 'url');
+        }
         if (!validateInput($token, 'releasetoken')) {
             die(__('dietoken99'));
         }

mailscanner/bayes_info.php

@@ -32,16 +32,14 @@
 // Require the functions page
 require_once __DIR__ . '/functions.php';
 
-// Start the session
-session_start();
 // Require the login function code
 require __DIR__ . '/login.function.php';
 
 // Start the header code and Title
 html_start(__('spamassassinbayesdatabaseinfo18'), 0, false, false);
 
 // Enter the Action in the Audit log
-audit_log(__('auditlog18'));
+audit_log(__('auditlog18', true));
 
 // Create the table
 echo '<table align="center" class="boxtable" border="0" cellspacing="1" cellpadding="1" width="690">' . "\n";
@@ -60,7 +58,7 @@
             // You can use --force-expire instead of --clear to test the routine
             passthru(SA_DIR . 'sa-learn -p ' . SA_PREFS . ' --clear', $return);
             if ($return === 0) {
-                audit_log(__('auditlogwipe18'));
+                audit_log(__('auditlogwipe18', true));
             } else {
                 echo '<div style="font-size: 10pt; font-weight: 700; text-align: center; color: red; ">' . "\n";
                 echo '<br>' . __('error18') . ' ' . $return;

mailscanner/checklogin.php

@@ -33,7 +33,7 @@
 require_once __DIR__ . '/lib/password.php';
 require_once __DIR__ . '/lib/hash_equals.php';
 disableBrowserCache();
-session_start();
+
 if (isset($_POST['token'])) {
     if (false === checkToken($_POST['token'])) {
         die(__('dietoken99'));
@@ -90,10 +90,10 @@
         if (!hash_equals(md5($mypassword), $passwordInDb)) {
             header('Location: login.php?error=baduser');
             die();
-        } else {
-            $newPasswordHash = password_hash($mypassword, PASSWORD_DEFAULT);
-            updateUserPasswordHash($myusername, $newPasswordHash);
         }
+
+        $newPasswordHash = password_hash($mypassword, PASSWORD_DEFAULT);
+        updateUserPasswordHash($myusername, $newPasswordHash);
     } else {
         // upgraded password is valid, continue as normal
         if (password_needs_rehash($passwordInDb, PASSWORD_DEFAULT)) {
@@ -157,6 +157,9 @@
     $_SESSION['global_list'] = (isset($global_list) ? $global_list : '');
     $_SESSION['global_array'] = $filter;
     $_SESSION['token'] = generateToken();
+    $_SESSION['formtoken'] = generateToken();
+    // Initialize login expiry in users table for newly logged in user
+    updateLoginExpiry($myusername);
     $redirect_url = 'index.php';
     if (isset($_SESSION['REQUEST_URI'])) {
         $redirect_url = $_SESSION['REQUEST_URI'];

mailscanner/clamav_status.php

@@ -32,16 +32,14 @@
 // Require the functions page
 require_once __DIR__ . '/functions.php';
 
-// Start the session
-session_start();
 // Require the login function code
 require __DIR__ . '/login.function.php';
 
 // Check to see if the user is an administrater
 if ($_SESSION['user_type'] !== 'A') {
     // If the user isn't an administrater send them back to the index page.
     header('Location: index.php');
-    audit_log(__('auditlog19'));
+    audit_log(__('auditlog19', true));
 } else {
     // Start the header code and Title
     html_start(__('avclamavstatus19'), 0, false, false);

mailscanner/conf.php.example

@@ -39,6 +39,19 @@ define('DEBUG', false);
 // Define language (de, en, fr, it, nl, pt_br);
 define('LANG', 'en');
 
+// Optional: If USER_SELECTABLE_LANG is defined and the value contains more than one language then the user gets a dropdown 
+// in the gui to change the language of his browser. The selectable languages are defined as a comma separated list.
+//define('USER_SELECTABLE_LANG', 'de,en,fr,it,nl,pt_br');
+
+// Session Handling - conflicts can exist when the your environment makes use of multiple php sessions on the same server
+// to resolve this, uncomment the following option.  See https://github.com/mailwatch/MailWatch/issues/730 for more info
+//define('SESSION_NAME', 'MailWatch');
+
+// Session Timeout - Sets the global session timeout value, default is 600 sec (10 minutes) if not defined
+// Range is 0 to 99999 seconds.  Setting to 0 will disable session timeout and active session statuses.
+// This can also be set individually per user in the MailWatch GUI for greater flexibility.
+//define('SESSION_TIMEOUT', 600);
+
 // Database settings
 //
 // As this file might be publically readable. It might be very userful to
@@ -92,7 +105,7 @@ define('PROXY_USER', '');
 define('PROXY_PASS', '');
 
 // Paths
-define('MAILWATCH_HOME', '/var/www/html/mailscanner');
+define('MAILWATCH_HOME', '/opt/mailwatch/mailscanner');
 define('MS_CONFIG_DIR', '/etc/MailScanner/');
 define('MS_SHARE_DIR', '/usr/share/MailScanner/'); // Path for ConfigDefs.pl file
 define('MS_LIB_DIR', '/usr/lib/MailScanner/'); // Path for sophos-wrapper file
@@ -145,6 +158,8 @@ define('SHOW_MORE_INFO_ON_REPORT_GRAPH', false);
 /* Mailwatch Interface Settings */
 define('MAILWATCH_MAIL_HOST', '127.0.0.1');
 define('MAILWATCH_MAIL_PORT', '25');
+// This is required if you use a remote SMTP server to send MailWatch emails (reports etc).
+//define('MAILWATCH_SMTP_HOSTNAME', gethostname());
 // Change with a fully qualified email address
 define('MAILWATCH_FROM_ADDR', 'postmaster@domain.tld');
 define('MAILWATCH_HOSTURL', 'http://' . rtrim(gethostname()) . '/mailscanner');
@@ -174,7 +189,11 @@ define('QUARANTINE_SENDMAIL_PATH', '/usr/sbin/sendmail');
 
 // This turns virus names into links that can be used to get more information
 // about a given virus or virus alias.  Comment out or set to false to disable.
-define('VIRUS_INFO', 'http://www.securelist.com/en/descriptions?words=%s&behavior=&Search=Search&search_type=1');
+// As of release 1.2.3 there is no reliable multivendor sources:
+// if you still want to enable this feature remember to substitute the url param containing the virus name with %s
+// look at the commented example below
+//define('VIRUS_INFO', 'http://www.securelist.com/en/descriptions?words=%s&behavior=&Search=Search&search_type=1');
+define('VIRUS_INFO', false);
 
 // Display Virus on message listing
 define('DISPLAY_VIRUS_REPORT', true);
@@ -227,6 +246,10 @@ define('RPC_ONLY', false);
 // define('EXIM_QUEUE_IN', '/usr/sbin/exim -bpc');
 // Command to read Exim outbound Mail Queue
 // define('EXIM_QUEUE_OUT', '/usr/sbin/exim -bpc -DOUTGOING');
+// Command to read Sendmail inbound Mail Queue
+// define('SENDMAIL_QUEUE_IN', '/usr/bin/mailq  -bp -OQueueDirectory=/var/spool/mqueue.in');
+// Command to read Sendmail outbound Mail Queue
+// define('SENDMAIL_QUEUE_OUT', '/usr/bin/mailq -bp');
 
 // Do you want an audit trail?
 define('AUDIT', false);
@@ -283,3 +306,4 @@ define('RESET_LINK_EXPIRE', 1);
 // define('PWD_RESET_FROM_NAME', 'Some other name'); // Set if you wish reset email sent from alternative name.
 // define('PWD_RESET_FROM_ADDRESS', 'support@yourdomain.com'); // Set is you wish reset email sent from alternative address.
 /* End Password Reset */
+

mailscanner/database.php

@@ -55,6 +55,7 @@ public static function connect($host = '', $username = '', $password = '', $data
                 });
                 self::$link = new mysqli($host, $username, $password, $database);
                 restore_error_handler();
+                self::$link->options(MYSQLI_INIT_COMMAND, "SET sql_mode=(SELECT TRIM(BOTH ',' FROM REPLACE(@@sql_mode,'ONLY_FULL_GROUP_BY','')))");
                 $charset = 'utf8';
                 if (self::$link->server_version >= 50503) {
                     //mysql version supports utf8mb4