Managesieve: Protect special scripts in managesieve_kolab_master mode

CHANGELOG.md

@@ -44,6 +44,7 @@
 - Managesieve: Support :encodeurl (RFC 5435) (#8917)
 - Managesieve: Add List-ID to the list of headers for creating new sieve-filters (#8307)
 - Managesieve: Support an array in managesieve_host option (#9447)
+- Managesieve: Protect special scripts in managesieve_kolab_master mode
 - Password: Add `ldap_samba_ad` driver (#8525)
 - Password: Allow LDAP access using LDAP URI and SASL binding (#8402)
 - Password: Use Guzzle HTTP Client in the `pwned` driver

plugins/managesieve/Changelog

@@ -1,6 +1,7 @@
 - Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
 - Fix javascript error when relational or spamtest extension is not enabled (#9139)
 - Support an array in managesieve_host option (#9447)
+- Protect special scripts in managesieve_kolab_master mode
 
 * version 9.5 [2023-03-26]
 -----------------------------------------------------------

plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php

@@ -275,6 +275,10 @@ protected function load_script($script_name = null)
         }
 
         if ($script_name) {
+            if ($this->is_protected_script($script_name)) {
+                return rcube_sieve::ERROR_NOT_EXISTS;
+            }
+
             $this->sieve->load($script_name);
         }
 
@@ -426,6 +430,11 @@ public function actions()
                     $this->rc->request_security_check(rcube_utils::INPUT_GET);
 
                     $script_name = rcube_utils::get_input_string('_set', rcube_utils::INPUT_GPC, true);
+
+                    if ($this->is_protected_script($script_name)) {
+                        exit;
+                    }
+
                     $script = $this->sieve->get_script($script_name);
 
                     if ($script !== false) {
@@ -495,7 +504,8 @@ public function saveraw()
 
         $script_name = rcube_utils::get_input_string('_set', rcube_utils::INPUT_POST);
 
-        $result = $this->sieve->save_script($script_name, $_POST['rawsetcontent']);
+        $result = empty($error) && !$this->is_protected_script($script_name)
+            && $this->sieve->save_script($script_name, $_POST['rawsetcontent']);
 
         if ($result === false) {
             $this->rc->output->show_message('managesieve.filtersaveerror', 'error');
@@ -2952,6 +2962,10 @@ public function list_scripts()
      */
     public function remove_script($name)
     {
+        if ($this->is_protected_script($name)) {
+            return false;
+        }
+
         $result = $this->sieve->remove($name);
 
         // Kolab's KEP:14
@@ -3112,6 +3126,20 @@ public function save_script($name = null)
         return $this->sieve->save($name);
     }
 
+    /**
+     * Check if the script is protected
+     */
+    protected function is_protected_script($name)
+    {
+        if ($this->rc->config->get('managesieve_kolab_master')) {
+            if (in_array(strtoupper($name), ['MASTER', 'MANAGEMENT', 'USER'])) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Returns list of rules from the current script
      *