From 8d68dd437955820977d3a2bfbce961385e16f045 Mon Sep 17 00:00:00 2001
From: Synox <synox@users.noreply.github.com>
Date: Mon, 19 Dec 2016 23:31:13 +0100
Subject: [PATCH] fixed security issue with #5

---
 src/backend.php | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/backend.php b/src/backend.php
index a8afb92..a2a0022 100644
--- a/src/backend.php
+++ b/src/backend.php
@@ -114,17 +114,21 @@ function delete_mail($mailid, $username) {
         error(400, 'invalid username');
     }
     $address = get_address($name, $config['mailHostname']);
-    $mail_ids = search_mails($address, $mailbox);
 
-    if (in_array($mailid, $mail_ids)) {
-        $mailbox->deleteMail($mailid);
-        $mailbox->expungeDeletedMails();
-        print(json_encode(array("success" => true)));
+    $mail = $mailbox->getMail($mailid);
+    if ($mail !== null) {
+        // imap_search also returns partials matches. The mails have to be filtered again:
+        if (array_key_exists($address, $mail->to) || array_key_exists($address, $mail->cc)) {
+            $mailbox->deleteMail($mailid);
+            $mailbox->expungeDeletedMails();
+            print(json_encode(array("success" => true)));
+        } else {
+            error(404, 'delete error: invalid username/mailid combination');
+
+        }
     } else {
         error(404, 'delete error: invalid username/mailid combination');
     }
-
-
 }