From f203bec5676083835e300d941c1830ee433a20cc Mon Sep 17 00:00:00 2001
From: Humorhenker <paul@roteserver.de>
Date: Wed, 10 Nov 2021 15:55:10 +0100
Subject: [PATCH] prevent creation of lists with the address of existing
 accounts and the other way around

---
 public/bin/addmaillist.php    | 38 ++++++++++++++++++++++-------------
 public/bin/createmailuser.php | 13 +++++++++---
 public/bin/editlist.php       | 24 ++++++++++++++++------
 3 files changed, 52 insertions(+), 23 deletions(-)

diff --git a/public/bin/addmaillist.php b/public/bin/addmaillist.php
index b919d7c..c441fc7 100644
--- a/public/bin/addmaillist.php
+++ b/public/bin/addmaillist.php
@@ -25,21 +25,31 @@ session_start();
 if ($_SESSION['log'] == 1 && $_SESSION['admin']) {
     if (!isset($_POST['newlistislist'])) $islist = 0; // wenn die checkbox nicht ausgewählt wurde ist die Post Variable nicht gesetzt, dass stört die Datenbank, deshalb wird Null eingertragen
     else $islist = $_POST['newlistislist'];
-    $eintrag = "INSERT INTO `alias_details` (`name`, `owners`, `destinations`, `security`, `islist`) VALUES (:newlistname, :owners, :destinations, :security, :islist)"; // Aliasdaten in MailServer DB eintragen
-    $sth = $dbh->prepare($eintrag);
-    $sth->execute(array(':newlistname' => $_POST['newlistname'], ':owners' => $_POST['newlistowners'], ':destinations' => $_POST['newlistdestinations'], ':security' => $_POST['newlistsecurity'], ':islist' => $islist));
-    $newlistid = $dbh->lastInsertID();
-    foreach (explode(' ', $_POST['newlistowners']) as $maillistowner) {
-        $maillistownerex = explode('@', $maillistowner);
-        $eintrag = "INSERT INTO `alias_owner` (`alias_id`, `owner_username`, `owner_domain`) VALUES (:aliasid, :owner_username, :owner_domain)"; // Aliasdaten in MailServer DB eintragen
+
+    // check if an account with same address exists
+    $abfrage = "SELECT 1 FROM `accounts` WHERE `username` = :username AND `domain` = :domain";
+    $sth = $dbh->prepare($abfrage);
+    $sth->execute(array(':username' => $_POST['newlistsourceadress'], ':domain' => $_POST['newlistsourcedomain']));
+    $result = $sth->fetchAll();
+    // only create the list if no account with the same adress exists
+    if ($result[0][1] !== 1) {
+        $newlistsource = $_POST['newlistsourceadress'] . '@' . $_POST['newlistsourcedomain'];
+        $eintrag = "INSERT INTO `alias_details` (`name`, `owners`, `source`, `destinations`, `security`, `islist`) VALUES (:newlistname, :owners, :source, :destinations, :security, :islist)"; // Aliasdaten in MailServer DB eintragen
         $sth = $dbh->prepare($eintrag);
-        $sth->execute(array(':aliasid' => $newlistid, ':owner_username' => $maillistownerex[0], ':owner_domain' => $maillistownerex[1]));
-    }
-    foreach (explode(' ', $_POST['newlistdestinations']) as $maillistdestination) {
-        $maillistdestinationex = explode('@', $maillistdestination);
-        $eintrag = "INSERT INTO `aliases` (`alias_id`, `source_username`, `source_domain`, `destination_username`, `destination_domain`) VALUES (:aliasid, :source_username, :source_domain, :destination_username, :destination_domain)"; // Aliasdaten in MailServer DB eintragen
-        $sth = $dbh->prepare($eintrag);
-        $sth->execute(array(':aliasid' => $newlistid, ':source_username' => $_POST['newlistsourceadress'], ':source_domain' => $_POST['newlistsourcedomain'], ':destination_username' => $maillistdestinationex[0], ':destination_domain' => $maillistdestinationex[1]));
+        $sth->execute(array(':newlistname' => $_POST['newlistname'], ':owners' => $_POST['newlistowners'], ':source' => $newlistsource, ':destinations' => $_POST['newlistdestinations'], ':security' => $_POST['newlistsecurity'], ':islist' => $islist));
+        $newlistid = $dbh->lastInsertID();
+        foreach (explode(' ', $_POST['newlistowners']) as $maillistowner) {
+            $maillistownerex = explode('@', $maillistowner);
+            $eintrag = "INSERT INTO `alias_owner` (`alias_id`, `owner_username`, `owner_domain`) VALUES (:aliasid, :owner_username, :owner_domain)"; // Aliasdaten in MailServer DB eintragen
+            $sth = $dbh->prepare($eintrag);
+            $sth->execute(array(':aliasid' => $newlistid, ':owner_username' => $maillistownerex[0], ':owner_domain' => $maillistownerex[1]));
+        }
+        foreach (explode(' ', $_POST['newlistdestinations']) as $maillistdestination) {
+            $maillistdestinationex = explode('@', $maillistdestination);
+            $eintrag = "INSERT INTO `aliases` (`alias_id`, `source_username`, `source_domain`, `destination_username`, `destination_domain`) VALUES (:aliasid, :source_username, :source_domain, :destination_username, :destination_domain)"; // Aliasdaten in MailServer DB eintragen
+            $sth = $dbh->prepare($eintrag);
+            $sth->execute(array(':aliasid' => $newlistid, ':source_username' => $_POST['newlistsourceadress'], ':source_domain' => $_POST['newlistsourcedomain'], ':destination_username' => $maillistdestinationex[0], ':destination_domain' => $maillistdestinationex[1]));
+        }
     }
 }
     header("Location: maillistsettings.php");
diff --git a/public/bin/createmailuser.php b/public/bin/createmailuser.php
index 4390965..0a99d53 100644
--- a/public/bin/createmailuser.php
+++ b/public/bin/createmailuser.php
@@ -65,12 +65,19 @@ function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmail
     }
     if (strlen($newmailpw) >= 8) {
         if ($newmailpw == $newmailpwrep) {
+            // check if an account with same address exists
             $abfrage = "SELECT 1 FROM `accounts` WHERE `username` = :newmailusername AND `domain` = :newmaildomain";
             $sth = $dbh->prepare($abfrage);
             $sth->execute(array(':newmailusername' => $newmailusername, ':newmaildomain' => $newmaildomain));
             $result = $sth->fetchAll();
-            //print_r($result);
-            if ($result[0][1] !== 1) {
+
+            // check if a list with same address exists
+            $abfrage = "SELECT 1 FROM `aliases` WHERE `source_username` = :source_username AND `source_domain` = :source_domain";
+            $sth = $dbh->prepare($abfrage);
+            $sth->execute(array(':source_username' => $newmailusername, ':source_domain' => $newmaildomain));
+            $result_list = $sth->fetchAll();
+            
+            if ($result[0][1] !== 1 and $result_list[0][1] !== 1 ) {
                 $newmailpwhashed = password_hash($newmailpw, PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]);
                 //$createdtimestamp = date("Y-m-d H:i:s");
                 // if ($config['maildirencryption']) {
@@ -109,7 +116,7 @@ function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmail
                 exit;
             } else { // Emailadresse ist bereits registriert
                 if ($admin == 1) {
-                    header("Location: ../admin.php?fehler=Mail besteht schon");
+                    header("Location: ../admin.php?fehler=Mail oder Liste besteht schon");
                     exit;
                 } else {
                     header("Location: createmailpre.php?mailalreadytaken=1");
diff --git a/public/bin/editlist.php b/public/bin/editlist.php
index 9268275..2625d8e 100644
--- a/public/bin/editlist.php
+++ b/public/bin/editlist.php
@@ -59,13 +59,25 @@ if ($_SESSION['log'] == 1) {
         $newlistsource = $_POST['newlistsource'];
         $newlistsourceexp = explode('@', $newlistsource);
         if ($newlistsource != $oldlistsource) {
-            $abfrage = "UPDATE `alias_details` SET `source` = :source WHERE `id` LIKE :alias_id";
-            $result = $dbh->prepare($abfrage);
-            $result->execute(array(':source' => $newlistsource, ':alias_id' => $_POST['editlistid']));
+            // check if an account with same address exists
+            $abfrage = "SELECT 1 FROM `accounts` WHERE `username` = :username AND `domain` = :domain";
+            $sth = $dbh->prepare($abfrage);
+            $sth->execute(array(':username' => $newlistsourceexp[0], ':domain' => $newlistsourceexp[1]));
+            $result = $sth->fetchAll();
+            
+            if ($result[0][1] !== 1) {
+                $abfrage = "UPDATE `alias_details` SET `source` = :source WHERE `id` LIKE :alias_id";
+                $result = $dbh->prepare($abfrage);
+                $result->execute(array(':source' => $newlistsource, ':alias_id' => $_POST['editlistid']));
 
-            $abfrage = "UPDATE `aliases` SET `source_username` = :source_username, `source_domain` = :source_domain WHERE `alias_id` LIKE :alias_id";
-            $result = $dbh->prepare($abfrage);
-            $result->execute(array(':source_username' => $newlistsourceexp[0], ':source_domain' => $newlistsourceexp[1], ':alias_id' => $_POST['editlistid']));            
+                $abfrage = "UPDATE `aliases` SET `source_username` = :source_username, `source_domain` = :source_domain WHERE `alias_id` LIKE :alias_id";
+                $result = $dbh->prepare($abfrage);
+                $result->execute(array(':source_username' => $newlistsourceexp[0], ':source_domain' => $newlistsourceexp[1], ':alias_id' => $_POST['editlistid']));            
+            }
+            else {
+                $newlistsource = $oldlistsource;
+                $newlistsourceexp = explode('@', $newlistsource);
+            }
         }
     }
     else {