Improved config file name in getmail plugin.

Author: tbrehm

server/plugins-available/getmail_plugin.inc.php

@@ -91,7 +91,7 @@ function update($event_name,$data) {
 			$this->delete($event_name,$data);
 
 			// Get the new config file path
-			$config_file_path = escapeshellcmd($this->getmail_config_dir.'/'.$data["new"]["source_server"].'_'.$data["new"]["source_username"].'.conf');
+			$config_file_path = escapeshellcmd($this->getmail_config_dir.'/'.$this->_clean_path($data["new"]["source_server"]).'_'.$this->_clean_path($data["new"]["source_username"]).'.conf');
 			if(stristr($config_file_path, "..") or stristr($config_file_path, "|") or stristr($config_file_path,";") or stristr($config_file_path,'$')) {
 				$app->log("Possibly faked path for getmail config file: '$config_file_path'. File is not written.",LOGLEVEL_ERROR);
 				return false;
@@ -155,14 +155,18 @@ function delete($event_name,$data) {
 		$getmail_config = $app->getconf->get_server_config($conf["server_id"], 'getmail');
 		$this->getmail_config_dir = $getmail_config["getmail_config_dir"];
 
-		$config_file_path = escapeshellcmd($this->getmail_config_dir.'/'.$data["old"]["source_server"].'_'.$data["old"]["source_username"].'.conf');
+		$config_file_path = escapeshellcmd($this->getmail_config_dir.'/'.$this->_clean_path($data["old"]["source_server"]).'_'.$this->_clean_path($data["old"]["source_username"]).'.conf');
 		if(stristr($config_file_path,"..") || stristr($config_file_path,"|") || stristr($config_file_path,";") || stristr($config_file_path,'$')) {
 			$app->log("Possibly faked path for getmail config file: '$config_file_path'. File is not written.",LOGLEVEL_ERROR);
 			return false;
 		}
 		if(is_file($config_file_path)) unlink($config_file_path);
 	}
 
+	function _clean_path($input) {
+		return preg_replace('/[^A-Za-z0-9\-_]/', '_', $input);
+	}
+	
 
 } // end class