lub
/
mailu
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

Merge #1957

Browse Source 
1957: BugFix 1952 - use punycode encoding in HTTP headers for webmail/radicale r=mergify[bot] a=Diman0

## What type of PR?

Bug fix

## What does this PR do?

Fixes a bug introduced by the SSO implementation and an already existing bug for radicale.
In auth.py we did not use punycode (ACE) encoding for the domain part of an email. 
Since we pass the user name in the HTTP header to webmail/radicale, we would sometime pass non-ascii. E.g. user@exämple.io.
This is illegal. HTTP headers may only contain ASCII. The domain part of the user name therefore now uses punycode encoding.

I tested that I can log in with the form user@exämple.io and user@xn--exmple-cua.io for
- admin
- roundcube (also tested sending emails of course)
- rainloop (also tested sending emails of course)
- radicale (webdav)
- thunderbird - sending/receiving emails and accessing/modifying the webdav calendar added in radicale.
  - for the calendar you can use the normal and punnycode notation
  - for email you can only use punnycode. This is a limitation of thunderbird. It does not accept email addresses with non-ascii in the domain part of an email address.

### Related issue(s)
- closes  #1952 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [n/a] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
master
bors[bot] 3 years ago committed by GitHub
parent ecb39fed04 169a540692
commit 4c52eb3e0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File

4
core/admin/mailu/internal/views/auth.py
Unescape Escape View File

@ -50,7 +50,7 @@ def user_authentication():
if (not flask_login.current_user.is_anonymous
and flask_login.current_user.enabled):
response = flask.Response()
response.headers["X-User"] = flask_login.current_user.get_id()
response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, flask_login.current_user.get_id(), "")
response.headers["X-User-Token"] = models.User.get_temp_token(flask_login.current_user.get_id())
return response
return flask.abort(403)
@ -67,7 +67,7 @@ def basic_authentication():
user = models.User.query.get(user_email.decode("utf8"))
if nginx.check_credentials(user, password.decode('utf-8'), flask.request.remote_addr, "web"):
response = flask.Response()
response.headers["X-User"] = user.email
response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, user.email, "")
return response
response = flask.Response(status=401)
response.headers["WWW-Authenticate"] = 'Basic realm="Login Required"'

3
towncrier/newsfragments/1952.bugfix
Unescape Escape View File

@ -0,0 +1,3 @@
Webmail and Radicale (webdav) were not useable with domains with special characters such as umlauts.
Webmail and radicale now use punycode for logging in.
Punycode was not used in the HTTP headers. This resulted in illegal non-ASCII HTTP headers.
Write Preview
Loading…
Cancel
Save