From 81550bd7a8d172fdbc9a36ef2aff4a96dfc29118 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 3 Dec 2025 15:13:52 +0000 Subject: [PATCH 1/3] Ticket merge input - strip text --- agent/ajax.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/ajax.php b/agent/ajax.php index 4a37f0e0..0b27f9b8 100644 --- a/agent/ajax.php +++ b/agent/ajax.php @@ -46,7 +46,7 @@ if (isset($_GET['certificate_fetch_parse_json_details'])) { if (isset($_GET['merge_ticket_get_json_details'])) { enforceUserPermission('module_support'); - $merge_into_ticket_number = intval($_GET['merge_into_ticket_number']); + $merge_into_ticket_number = intval(preg_replace('/[^0-9]/', '', $_GET['merge_into_ticket_number'])); $sql = mysqli_query($mysqli, "SELECT ticket_id, ticket_number, ticket_prefix, ticket_subject, ticket_priority, ticket_status, ticket_status_name, client_name, contact_name FROM tickets LEFT JOIN clients ON ticket_client_id = client_id From 10bfbed4bbc562086bc4d0f099a6a0b1773bf5e5 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 3 Dec 2025 15:30:26 +0000 Subject: [PATCH 2/3] Mail queue - introduce a --no-mx-validation flag to bypass recipient domain MX validation --- cron/mail_queue.php | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/cron/mail_queue.php b/cron/mail_queue.php index ebedb830..29e91481 100644 --- a/cron/mail_queue.php +++ b/cron/mail_queue.php @@ -223,9 +223,8 @@ if (mysqli_num_rows($sql_queue) > 0) { mysqli_query($mysqli, "UPDATE email_queue SET email_status = 1 WHERE email_id = $email_id"); - // Check recipient - $domain = sanitizeInput(substr($email_recipient, strpos($email_recipient, '@') + 1)); - if (!filter_var($email_recipient, FILTER_VALIDATE_EMAIL) || !checkdnsrr($domain, 'MX')) { + // Basic recipient syntax check + if (!filter_var($email_recipient, FILTER_VALIDATE_EMAIL)) { mysqli_query($mysqli, "UPDATE email_queue SET email_status = 2, email_attempts = 99 WHERE email_id = $email_id"); $email_to_logging = sanitizeInput($email_recipient); $email_subject_logging = sanitizeInput($rowq['email_subject']); @@ -234,6 +233,17 @@ if (mysqli_num_rows($sql_queue) > 0) { continue; } + // More intelligent recipient MX check (if not disabled with --no-mx-validation) + $domain = sanitizeInput(substr($email_recipient, strpos($email_recipient, '@') + 1)); + if (!in_array('--no-mx-validation', $argv) && !checkdnsrr($domain, 'MX')) { + mysqli_query($mysqli, "UPDATE email_queue SET email_status = 2, email_attempts = 99 WHERE email_id = $email_id"); + $email_to_logging = sanitizeInput($email_recipient); + $email_subject_logging = sanitizeInput($rowq['email_subject']); + logApp("Cron-Mail-Queue", "Error", "Failed to send email: $email_id to $email_to_logging due to invalid recipient domain (no MX). Email subject was: $email_subject_logging"); + appNotify("Mail", "Failed to send email #$email_id to $email_to_logging due to invalid recipient domain (no MX): Email subject was: $email_subject_logging"); + continue; + } + try { sendQueueEmail( ($config_smtp_provider ?: 'standard_smtp'), From 7c83ba15b92d5ab525d9a8101b01b8f5223162bb Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 3 Dec 2025 15:43:55 +0000 Subject: [PATCH 3/3] Mail queue - minor comment syntax error --- cron/mail_queue.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cron/mail_queue.php b/cron/mail_queue.php index 29e91481..c0098dc4 100644 --- a/cron/mail_queue.php +++ b/cron/mail_queue.php @@ -285,7 +285,8 @@ if (mysqli_num_rows($sql_queue) > 0) { /** ======================================================================= * RETRIES: status = 2 (Failed), attempts < 4, wait 30 min * NOTE: Backoff is `email_failed_at <= NOW() - INTERVAL 30 MINUTE` - * =======================================================================*/ + * ======================================================================= + */ $sql_failed_queue = mysqli_query( $mysqli, "SELECT * FROM email_queue