From d5d4d6c33711ad81c91b923ebdf8e755e70ab4f8 Mon Sep 17 00:00:00 2001
From: hoellen <dev@hoellen.eu>
Date: Fri, 4 Jan 2019 18:01:46 +0100
Subject: [PATCH 1/2] harden email address validation and fix routes with
 user_email

---
 core/admin/mailu/internal/views/dovecot.py | 10 +++++-----
 core/admin/mailu/ui/forms.py               |  2 +-
 core/admin/mailu/ui/views/fetches.py       |  4 ++--
 core/admin/mailu/ui/views/managers.py      |  2 +-
 core/admin/mailu/ui/views/tokens.py        |  4 ++--
 core/admin/mailu/ui/views/users.py         | 12 ++++++------
 6 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/core/admin/mailu/internal/views/dovecot.py b/core/admin/mailu/internal/views/dovecot.py
index 463ecc20..f44f59bc 100644
--- a/core/admin/mailu/internal/views/dovecot.py
+++ b/core/admin/mailu/internal/views/dovecot.py
@@ -6,7 +6,7 @@ import flask
 import socket
 import os
 
-@internal.route("/dovecot/passdb/<user_email>")
+@internal.route("/dovecot/passdb/<path:user_email>")
 def dovecot_passdb_dict(user_email):
     user = models.User.query.get(user_email) or flask.abort(404)
     allow_nets = []
@@ -20,7 +20,7 @@ def dovecot_passdb_dict(user_email):
     })
 
 
-@internal.route("/dovecot/userdb/<user_email>")
+@internal.route("/dovecot/userdb/<path:user_email>")
 def dovecot_userdb_dict(user_email):
     user = models.User.query.get(user_email) or flask.abort(404)
     return flask.jsonify({
@@ -28,7 +28,7 @@ def dovecot_userdb_dict(user_email):
     })
 
 
-@internal.route("/dovecot/quota/<ns>/<user_email>", methods=["POST"])
+@internal.route("/dovecot/quota/<ns>/<path:user_email>", methods=["POST"])
 def dovecot_quota(ns, user_email):
     user = models.User.query.get(user_email) or flask.abort(404)
     if ns == "storage":
@@ -37,12 +37,12 @@ def dovecot_quota(ns, user_email):
     return flask.jsonify(None)
 
 
-@internal.route("/dovecot/sieve/name/<script>/<user_email>")
+@internal.route("/dovecot/sieve/name/<script>/<path:user_email>")
 def dovecot_sieve_name(script, user_email):
     return flask.jsonify(script)
 
 
-@internal.route("/dovecot/sieve/data/default/<user_email>")
+@internal.route("/dovecot/sieve/data/default/<path:user_email>")
 def dovecot_sieve_data(user_email):
     user = models.User.query.get(user_email) or flask.abort(404)
     return flask.jsonify(flask.render_template("default.sieve", user=user))
diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py
index d71766fc..5ee6da7d 100644
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@@ -6,7 +6,7 @@ import flask_login
 import flask_wtf
 import re
 
-LOCALPART_REGEX = "^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+$"
+LOCALPART_REGEX = "^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+)*$"
 
 class DestinationField(fields.SelectMultipleField):
     """ Allow for multiple emails selection from current user choices and
diff --git a/core/admin/mailu/ui/views/fetches.py b/core/admin/mailu/ui/views/fetches.py
index c0421146..d9f55404 100644
--- a/core/admin/mailu/ui/views/fetches.py
+++ b/core/admin/mailu/ui/views/fetches.py
@@ -6,7 +6,7 @@ import flask_login
 
 
 @ui.route('/fetch/list', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/fetch/list/<user_email>', methods=['GET'])
+@ui.route('/fetch/list/<path:user_email>', methods=['GET'])
 @access.owner(models.User, 'user_email')
 def fetch_list(user_email):
     user_email = user_email or flask_login.current_user.email
@@ -15,7 +15,7 @@ def fetch_list(user_email):
 
 
 @ui.route('/fetch/create', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/fetch/create/<user_email>', methods=['GET', 'POST'])
+@ui.route('/fetch/create/<path:user_email>', methods=['GET', 'POST'])
 @access.owner(models.User, 'user_email')
 def fetch_create(user_email):
     user_email = user_email or flask_login.current_user.email
diff --git a/core/admin/mailu/ui/views/managers.py b/core/admin/mailu/ui/views/managers.py
index 45974f94..746e7367 100644
--- a/core/admin/mailu/ui/views/managers.py
+++ b/core/admin/mailu/ui/views/managers.py
@@ -38,7 +38,7 @@ def manager_create(domain_name):
         domain=domain, form=form)
 
 
-@ui.route('/manager/delete/<domain_name>/<user_email>', methods=['GET', 'POST'])
+@ui.route('/manager/delete/<domain_name>/<path:user_email>', methods=['GET', 'POST'])
 @access.confirmation_required("remove manager {user_email}")
 @access.domain_admin(models.Domain, 'domain_name')
 def manager_delete(domain_name, user_email):
diff --git a/core/admin/mailu/ui/views/tokens.py b/core/admin/mailu/ui/views/tokens.py
index 3864617b..069587e1 100644
--- a/core/admin/mailu/ui/views/tokens.py
+++ b/core/admin/mailu/ui/views/tokens.py
@@ -9,7 +9,7 @@ import wtforms_components
 
 
 @ui.route('/token/list', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/token/list/<user_email>', methods=['GET'])
+@ui.route('/token/list/<path:user_email>', methods=['GET'])
 @access.owner(models.User, 'user_email')
 def token_list(user_email):
     user_email = user_email or flask_login.current_user.email
@@ -18,7 +18,7 @@ def token_list(user_email):
 
 
 @ui.route('/token/create', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/token/create/<user_email>', methods=['GET', 'POST'])
+@ui.route('/token/create/<path:user_email>', methods=['GET', 'POST'])
 @access.owner(models.User, 'user_email')
 def token_create(user_email):
     user_email = user_email or flask_login.current_user.email
diff --git a/core/admin/mailu/ui/views/users.py b/core/admin/mailu/ui/views/users.py
index 4cbe7a97..e3c03848 100644
--- a/core/admin/mailu/ui/views/users.py
+++ b/core/admin/mailu/ui/views/users.py
@@ -43,7 +43,7 @@ def user_create(domain_name):
         domain=domain, form=form)
 
 
-@ui.route('/user/edit/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/edit/<path:user_email>', methods=['GET', 'POST'])
 @access.domain_admin(models.User, 'user_email')
 def user_edit(user_email):
     user = models.User.query.get(user_email) or flask.abort(404)
@@ -71,7 +71,7 @@ def user_edit(user_email):
         domain=user.domain, max_quota_bytes=max_quota_bytes)
 
 
-@ui.route('/user/delete/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/delete/<path:user_email>', methods=['GET', 'POST'])
 @access.domain_admin(models.User, 'user_email')
 @access.confirmation_required("delete {user_email}")
 def user_delete(user_email):
@@ -85,7 +85,7 @@ def user_delete(user_email):
 
 
 @ui.route('/user/settings', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/usersettings/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/usersettings/<path:user_email>', methods=['GET', 'POST'])
 @access.owner(models.User, 'user_email')
 def user_settings(user_email):
     user_email_or_current = user_email or flask_login.current_user.email
@@ -109,7 +109,7 @@ def user_settings(user_email):
 
 
 @ui.route('/user/password', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/password/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/password/<path:user_email>', methods=['GET', 'POST'])
 @access.owner(models.User, 'user_email')
 def user_password(user_email):
     user_email_or_current = user_email or flask_login.current_user.email
@@ -129,7 +129,7 @@ def user_password(user_email):
 
 
 @ui.route('/user/forward', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/forward/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/forward/<path:user_email>', methods=['GET', 'POST'])
 @access.owner(models.User, 'user_email')
 def user_forward(user_email):
     user_email_or_current = user_email or flask_login.current_user.email
@@ -146,7 +146,7 @@ def user_forward(user_email):
 
 
 @ui.route('/user/reply', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/reply/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/reply/<path:user_email>', methods=['GET', 'POST'])
 @access.owner(models.User, 'user_email')
 def user_reply(user_email):
     user_email_or_current = user_email or flask_login.current_user.email

From 8fe1e788b3cffedb5b56ca51e24500c201806b0a Mon Sep 17 00:00:00 2001
From: hoellen <dev@hoellen.eu>
Date: Fri, 4 Jan 2019 21:18:51 +0100
Subject: [PATCH 2/2] add missing route fixes

---
 core/admin/mailu/internal/views/postfix.py | 10 +++++-----
 core/admin/mailu/ui/views/admins.py        |  2 +-
 core/admin/mailu/ui/views/aliases.py       |  4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index 5ff31584..e94bfc28 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -12,13 +12,13 @@ def postfix_mailbox_domain(domain_name):
     return flask.jsonify(domain.name)
 
 
-@internal.route("/postfix/mailbox/<email>")
+@internal.route("/postfix/mailbox/<path:email>")
 def postfix_mailbox_map(email):
     user = models.User.query.get(email) or flask.abort(404)
     return flask.jsonify(user.email)
 
 
-@internal.route("/postfix/alias/<alias>")
+@internal.route("/postfix/alias/<path:alias>")
 def postfix_alias_map(alias):
     localpart, domain_name = models.Email.resolve_domain(alias)
     if localpart is None:
@@ -27,7 +27,7 @@ def postfix_alias_map(alias):
     return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
 
 
-@internal.route("/postfix/transport/<email>")
+@internal.route("/postfix/transport/<path:email>")
 def postfix_transport(email):
     if email == '*':
         return flask.abort(404)
@@ -36,7 +36,7 @@ def postfix_transport(email):
     return flask.jsonify("smtp:[{}]".format(relay.smtp))
 
 
-@internal.route("/postfix/sender/login/<sender>")
+@internal.route("/postfix/sender/login/<path:sender>")
 def postfix_sender_login(sender):
     localpart, domain_name = models.Email.resolve_domain(sender)
     if localpart is None:
@@ -45,7 +45,7 @@ def postfix_sender_login(sender):
     return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
 
 
-@internal.route("/postfix/sender/access/<sender>")
+@internal.route("/postfix/sender/access/<path:sender>")
 def postfix_sender_access(sender):
     """ Simply reject any sender that pretends to be from a local domain
     """
diff --git a/core/admin/mailu/ui/views/admins.py b/core/admin/mailu/ui/views/admins.py
index 7462c545..7daa9d31 100644
--- a/core/admin/mailu/ui/views/admins.py
+++ b/core/admin/mailu/ui/views/admins.py
@@ -33,7 +33,7 @@ def admin_create():
     return flask.render_template('admin/create.html', form=form)
 
 
-@ui.route('/admin/delete/<admin>', methods=['GET', 'POST'])
+@ui.route('/admin/delete/<path:admin>', methods=['GET', 'POST'])
 @access.global_admin
 @access.confirmation_required("delete admin {admin}")
 def admin_delete(admin):
diff --git a/core/admin/mailu/ui/views/aliases.py b/core/admin/mailu/ui/views/aliases.py
index eaab5cad..5e65c86d 100644
--- a/core/admin/mailu/ui/views/aliases.py
+++ b/core/admin/mailu/ui/views/aliases.py
@@ -36,7 +36,7 @@ def alias_create(domain_name):
         domain=domain, form=form)
 
 
-@ui.route('/alias/edit/<alias>', methods=['GET', 'POST'])
+@ui.route('/alias/edit/<path:alias>', methods=['GET', 'POST'])
 @access.domain_admin(models.Alias, 'alias')
 def alias_edit(alias):
     alias = models.Alias.query.get(alias) or flask.abort(404)
@@ -53,7 +53,7 @@ def alias_edit(alias):
         form=form, alias=alias, domain=alias.domain)
 
 
-@ui.route('/alias/delete/<alias>', methods=['GET', 'POST'])
+@ui.route('/alias/delete/<path:alias>', methods=['GET', 'POST'])
 @access.domain_admin(models.Alias, 'alias')
 @access.confirmation_required("delete {alias}")
 def alias_delete(alias):