Merge pull request #796 from hoellen/fix-username-chars-1

harden email address validation and fix routes with user_email
master
mergify[bot] 6 years ago committed by GitHub
commit 4733f15c0c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -6,7 +6,7 @@ import flask
import socket import socket
import os import os
@internal.route("/dovecot/passdb/<user_email>") @internal.route("/dovecot/passdb/<path:user_email>")
def dovecot_passdb_dict(user_email): def dovecot_passdb_dict(user_email):
user = models.User.query.get(user_email) or flask.abort(404) user = models.User.query.get(user_email) or flask.abort(404)
allow_nets = [] allow_nets = []
@ -20,7 +20,7 @@ def dovecot_passdb_dict(user_email):
}) })
@internal.route("/dovecot/userdb/<user_email>") @internal.route("/dovecot/userdb/<path:user_email>")
def dovecot_userdb_dict(user_email): def dovecot_userdb_dict(user_email):
user = models.User.query.get(user_email) or flask.abort(404) user = models.User.query.get(user_email) or flask.abort(404)
return flask.jsonify({ return flask.jsonify({
@ -28,7 +28,7 @@ def dovecot_userdb_dict(user_email):
}) })
@internal.route("/dovecot/quota/<ns>/<user_email>", methods=["POST"]) @internal.route("/dovecot/quota/<ns>/<path:user_email>", methods=["POST"])
def dovecot_quota(ns, user_email): def dovecot_quota(ns, user_email):
user = models.User.query.get(user_email) or flask.abort(404) user = models.User.query.get(user_email) or flask.abort(404)
if ns == "storage": if ns == "storage":
@ -37,12 +37,12 @@ def dovecot_quota(ns, user_email):
return flask.jsonify(None) return flask.jsonify(None)
@internal.route("/dovecot/sieve/name/<script>/<user_email>") @internal.route("/dovecot/sieve/name/<script>/<path:user_email>")
def dovecot_sieve_name(script, user_email): def dovecot_sieve_name(script, user_email):
return flask.jsonify(script) return flask.jsonify(script)
@internal.route("/dovecot/sieve/data/default/<user_email>") @internal.route("/dovecot/sieve/data/default/<path:user_email>")
def dovecot_sieve_data(user_email): def dovecot_sieve_data(user_email):
user = models.User.query.get(user_email) or flask.abort(404) user = models.User.query.get(user_email) or flask.abort(404)
return flask.jsonify(flask.render_template("default.sieve", user=user)) return flask.jsonify(flask.render_template("default.sieve", user=user))

@ -12,13 +12,13 @@ def postfix_mailbox_domain(domain_name):
return flask.jsonify(domain.name) return flask.jsonify(domain.name)
@internal.route("/postfix/mailbox/<email>") @internal.route("/postfix/mailbox/<path:email>")
def postfix_mailbox_map(email): def postfix_mailbox_map(email):
user = models.User.query.get(email) or flask.abort(404) user = models.User.query.get(email) or flask.abort(404)
return flask.jsonify(user.email) return flask.jsonify(user.email)
@internal.route("/postfix/alias/<alias>") @internal.route("/postfix/alias/<path:alias>")
def postfix_alias_map(alias): def postfix_alias_map(alias):
localpart, domain_name = models.Email.resolve_domain(alias) localpart, domain_name = models.Email.resolve_domain(alias)
if localpart is None: if localpart is None:
@ -27,7 +27,7 @@ def postfix_alias_map(alias):
return flask.jsonify(",".join(destination)) if destination else flask.abort(404) return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
@internal.route("/postfix/transport/<email>") @internal.route("/postfix/transport/<path:email>")
def postfix_transport(email): def postfix_transport(email):
if email == '*': if email == '*':
return flask.abort(404) return flask.abort(404)
@ -36,7 +36,7 @@ def postfix_transport(email):
return flask.jsonify("smtp:[{}]".format(relay.smtp)) return flask.jsonify("smtp:[{}]".format(relay.smtp))
@internal.route("/postfix/sender/login/<sender>") @internal.route("/postfix/sender/login/<path:sender>")
def postfix_sender_login(sender): def postfix_sender_login(sender):
localpart, domain_name = models.Email.resolve_domain(sender) localpart, domain_name = models.Email.resolve_domain(sender)
if localpart is None: if localpart is None:
@ -45,7 +45,7 @@ def postfix_sender_login(sender):
return flask.jsonify(",".join(destination)) if destination else flask.abort(404) return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
@internal.route("/postfix/sender/access/<sender>") @internal.route("/postfix/sender/access/<path:sender>")
def postfix_sender_access(sender): def postfix_sender_access(sender):
""" Simply reject any sender that pretends to be from a local domain """ Simply reject any sender that pretends to be from a local domain
""" """

@ -6,7 +6,7 @@ import flask_login
import flask_wtf import flask_wtf
import re import re
LOCALPART_REGEX = "^[a-zA-Z0-9.!#$%&*+/=?^_`{|}~-]+$" LOCALPART_REGEX = "^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+)*$"
class DestinationField(fields.SelectMultipleField): class DestinationField(fields.SelectMultipleField):
""" Allow for multiple emails selection from current user choices and """ Allow for multiple emails selection from current user choices and

@ -33,7 +33,7 @@ def admin_create():
return flask.render_template('admin/create.html', form=form) return flask.render_template('admin/create.html', form=form)
@ui.route('/admin/delete/<admin>', methods=['GET', 'POST']) @ui.route('/admin/delete/<path:admin>', methods=['GET', 'POST'])
@access.global_admin @access.global_admin
@access.confirmation_required("delete admin {admin}") @access.confirmation_required("delete admin {admin}")
def admin_delete(admin): def admin_delete(admin):

@ -36,7 +36,7 @@ def alias_create(domain_name):
domain=domain, form=form) domain=domain, form=form)
@ui.route('/alias/edit/<alias>', methods=['GET', 'POST']) @ui.route('/alias/edit/<path:alias>', methods=['GET', 'POST'])
@access.domain_admin(models.Alias, 'alias') @access.domain_admin(models.Alias, 'alias')
def alias_edit(alias): def alias_edit(alias):
alias = models.Alias.query.get(alias) or flask.abort(404) alias = models.Alias.query.get(alias) or flask.abort(404)
@ -53,7 +53,7 @@ def alias_edit(alias):
form=form, alias=alias, domain=alias.domain) form=form, alias=alias, domain=alias.domain)
@ui.route('/alias/delete/<alias>', methods=['GET', 'POST']) @ui.route('/alias/delete/<path:alias>', methods=['GET', 'POST'])
@access.domain_admin(models.Alias, 'alias') @access.domain_admin(models.Alias, 'alias')
@access.confirmation_required("delete {alias}") @access.confirmation_required("delete {alias}")
def alias_delete(alias): def alias_delete(alias):

@ -6,7 +6,7 @@ import flask_login
@ui.route('/fetch/list', methods=['GET', 'POST'], defaults={'user_email': None}) @ui.route('/fetch/list', methods=['GET', 'POST'], defaults={'user_email': None})
@ui.route('/fetch/list/<user_email>', methods=['GET']) @ui.route('/fetch/list/<path:user_email>', methods=['GET'])
@access.owner(models.User, 'user_email') @access.owner(models.User, 'user_email')
def fetch_list(user_email): def fetch_list(user_email):
user_email = user_email or flask_login.current_user.email user_email = user_email or flask_login.current_user.email
@ -15,7 +15,7 @@ def fetch_list(user_email):
@ui.route('/fetch/create', methods=['GET', 'POST'], defaults={'user_email': None}) @ui.route('/fetch/create', methods=['GET', 'POST'], defaults={'user_email': None})
@ui.route('/fetch/create/<user_email>', methods=['GET', 'POST']) @ui.route('/fetch/create/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email') @access.owner(models.User, 'user_email')
def fetch_create(user_email): def fetch_create(user_email):
user_email = user_email or flask_login.current_user.email user_email = user_email or flask_login.current_user.email

@ -38,7 +38,7 @@ def manager_create(domain_name):
domain=domain, form=form) domain=domain, form=form)
@ui.route('/manager/delete/<domain_name>/<user_email>', methods=['GET', 'POST']) @ui.route('/manager/delete/<domain_name>/<path:user_email>', methods=['GET', 'POST'])
@access.confirmation_required("remove manager {user_email}") @access.confirmation_required("remove manager {user_email}")
@access.domain_admin(models.Domain, 'domain_name') @access.domain_admin(models.Domain, 'domain_name')
def manager_delete(domain_name, user_email): def manager_delete(domain_name, user_email):

@ -9,7 +9,7 @@ import wtforms_components
@ui.route('/token/list', methods=['GET', 'POST'], defaults={'user_email': None}) @ui.route('/token/list', methods=['GET', 'POST'], defaults={'user_email': None})
@ui.route('/token/list/<user_email>', methods=['GET']) @ui.route('/token/list/<path:user_email>', methods=['GET'])
@access.owner(models.User, 'user_email') @access.owner(models.User, 'user_email')
def token_list(user_email): def token_list(user_email):
user_email = user_email or flask_login.current_user.email user_email = user_email or flask_login.current_user.email
@ -18,7 +18,7 @@ def token_list(user_email):
@ui.route('/token/create', methods=['GET', 'POST'], defaults={'user_email': None}) @ui.route('/token/create', methods=['GET', 'POST'], defaults={'user_email': None})
@ui.route('/token/create/<user_email>', methods=['GET', 'POST']) @ui.route('/token/create/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email') @access.owner(models.User, 'user_email')
def token_create(user_email): def token_create(user_email):
user_email = user_email or flask_login.current_user.email user_email = user_email or flask_login.current_user.email

@ -43,7 +43,7 @@ def user_create(domain_name):
domain=domain, form=form) domain=domain, form=form)
@ui.route('/user/edit/<user_email>', methods=['GET', 'POST']) @ui.route('/user/edit/<path:user_email>', methods=['GET', 'POST'])
@access.domain_admin(models.User, 'user_email') @access.domain_admin(models.User, 'user_email')
def user_edit(user_email): def user_edit(user_email):
user = models.User.query.get(user_email) or flask.abort(404) user = models.User.query.get(user_email) or flask.abort(404)
@ -71,7 +71,7 @@ def user_edit(user_email):
domain=user.domain, max_quota_bytes=max_quota_bytes) domain=user.domain, max_quota_bytes=max_quota_bytes)
@ui.route('/user/delete/<user_email>', methods=['GET', 'POST']) @ui.route('/user/delete/<path:user_email>', methods=['GET', 'POST'])
@access.domain_admin(models.User, 'user_email') @access.domain_admin(models.User, 'user_email')
@access.confirmation_required("delete {user_email}") @access.confirmation_required("delete {user_email}")
def user_delete(user_email): def user_delete(user_email):
@ -85,7 +85,7 @@ def user_delete(user_email):
@ui.route('/user/settings', methods=['GET', 'POST'], defaults={'user_email': None}) @ui.route('/user/settings', methods=['GET', 'POST'], defaults={'user_email': None})
@ui.route('/user/usersettings/<user_email>', methods=['GET', 'POST']) @ui.route('/user/usersettings/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email') @access.owner(models.User, 'user_email')
def user_settings(user_email): def user_settings(user_email):
user_email_or_current = user_email or flask_login.current_user.email user_email_or_current = user_email or flask_login.current_user.email
@ -109,7 +109,7 @@ def user_settings(user_email):
@ui.route('/user/password', methods=['GET', 'POST'], defaults={'user_email': None}) @ui.route('/user/password', methods=['GET', 'POST'], defaults={'user_email': None})
@ui.route('/user/password/<user_email>', methods=['GET', 'POST']) @ui.route('/user/password/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email') @access.owner(models.User, 'user_email')
def user_password(user_email): def user_password(user_email):
user_email_or_current = user_email or flask_login.current_user.email user_email_or_current = user_email or flask_login.current_user.email
@ -129,7 +129,7 @@ def user_password(user_email):
@ui.route('/user/forward', methods=['GET', 'POST'], defaults={'user_email': None}) @ui.route('/user/forward', methods=['GET', 'POST'], defaults={'user_email': None})
@ui.route('/user/forward/<user_email>', methods=['GET', 'POST']) @ui.route('/user/forward/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email') @access.owner(models.User, 'user_email')
def user_forward(user_email): def user_forward(user_email):
user_email_or_current = user_email or flask_login.current_user.email user_email_or_current = user_email or flask_login.current_user.email
@ -146,7 +146,7 @@ def user_forward(user_email):
@ui.route('/user/reply', methods=['GET', 'POST'], defaults={'user_email': None}) @ui.route('/user/reply', methods=['GET', 'POST'], defaults={'user_email': None})
@ui.route('/user/reply/<user_email>', methods=['GET', 'POST']) @ui.route('/user/reply/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email') @access.owner(models.User, 'user_email')
def user_reply(user_email): def user_reply(user_email):
user_email_or_current = user_email or flask_login.current_user.email user_email_or_current = user_email or flask_login.current_user.email

Loading…
Cancel
Save