harden email address validation and fix routes with user_email

6 years ago · d5d4d6c337
parent d483ef3c2a
commit d5d4d6c337
6 changed files with 17 additions and 17 deletions
--- a/core/admin/mailu/internal/views/dovecot.py
+++ b/core/admin/mailu/internal/views/dovecot.py
@ -6,7 +6,7 @@ import flask
 import socket
 import os

-@internal.route("/dovecot/passdb/<user_email>")
+@internal.route("/dovecot/passdb/<path:user_email>")
 def dovecot_passdb_dict(user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
    allow_nets = []
@ -20,7 +20,7 @@ def dovecot_passdb_dict(user_email):
    })


-@internal.route("/dovecot/userdb/<user_email>")
+@internal.route("/dovecot/userdb/<path:user_email>")
 def dovecot_userdb_dict(user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
    return flask.jsonify({
@ -28,7 +28,7 @@ def dovecot_userdb_dict(user_email):
    })


-@internal.route("/dovecot/quota/<ns>/<user_email>", methods=["POST"])
+@internal.route("/dovecot/quota/<ns>/<path:user_email>", methods=["POST"])
 def dovecot_quota(ns, user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
    if ns == "storage":
@ -37,12 +37,12 @@ def dovecot_quota(ns, user_email):
    return flask.jsonify(None)


-@internal.route("/dovecot/sieve/name/<script>/<user_email>")
+@internal.route("/dovecot/sieve/name/<script>/<path:user_email>")
 def dovecot_sieve_name(script, user_email):
    return flask.jsonify(script)


-@internal.route("/dovecot/sieve/data/default/<user_email>")
+@internal.route("/dovecot/sieve/data/default/<path:user_email>")
 def dovecot_sieve_data(user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
    return flask.jsonify(flask.render_template("default.sieve", user=user))
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@ -6,7 +6,7 @@ import flask_login
 import flask_wtf
 import re

-LOCALPART_REGEX = "^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+$"
+LOCALPART_REGEX = "^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+)*$"

 class DestinationField(fields.SelectMultipleField):
    """ Allow for multiple emails selection from current user choices and
--- a/core/admin/mailu/ui/views/fetches.py
+++ b/core/admin/mailu/ui/views/fetches.py
@ -6,7 +6,7 @@ import flask_login


@ui.route('/fetch/list', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/fetch/list/<user_email>', methods=['GET'])
+@ui.route('/fetch/list/<path:user_email>', methods=['GET'])
@access.owner(models.User, 'user_email')
 def fetch_list(user_email):
    user_email = user_email or flask_login.current_user.email
@ -15,7 +15,7 @@ def fetch_list(user_email):


@ui.route('/fetch/create', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/fetch/create/<user_email>', methods=['GET', 'POST'])
+@ui.route('/fetch/create/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def fetch_create(user_email):
    user_email = user_email or flask_login.current_user.email
--- a/core/admin/mailu/ui/views/managers.py
+++ b/core/admin/mailu/ui/views/managers.py
@ -38,7 +38,7 @@ def manager_create(domain_name):
        domain=domain, form=form)


-@ui.route('/manager/delete/<domain_name>/<user_email>', methods=['GET', 'POST'])
+@ui.route('/manager/delete/<domain_name>/<path:user_email>', methods=['GET', 'POST'])
@access.confirmation_required("remove manager {user_email}")
@access.domain_admin(models.Domain, 'domain_name')
 def manager_delete(domain_name, user_email):
--- a/core/admin/mailu/ui/views/tokens.py
+++ b/core/admin/mailu/ui/views/tokens.py
@ -9,7 +9,7 @@ import wtforms_components


@ui.route('/token/list', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/token/list/<user_email>', methods=['GET'])
+@ui.route('/token/list/<path:user_email>', methods=['GET'])
@access.owner(models.User, 'user_email')
 def token_list(user_email):
    user_email = user_email or flask_login.current_user.email
@ -18,7 +18,7 @@ def token_list(user_email):


@ui.route('/token/create', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/token/create/<user_email>', methods=['GET', 'POST'])
+@ui.route('/token/create/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def token_create(user_email):
    user_email = user_email or flask_login.current_user.email
--- a/core/admin/mailu/ui/views/users.py
+++ b/core/admin/mailu/ui/views/users.py
@ -43,7 +43,7 @@ def user_create(domain_name):
        domain=domain, form=form)


-@ui.route('/user/edit/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/edit/<path:user_email>', methods=['GET', 'POST'])
@access.domain_admin(models.User, 'user_email')
 def user_edit(user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
@ -71,7 +71,7 @@ def user_edit(user_email):
        domain=user.domain, max_quota_bytes=max_quota_bytes)


-@ui.route('/user/delete/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/delete/<path:user_email>', methods=['GET', 'POST'])
@access.domain_admin(models.User, 'user_email')
@access.confirmation_required("delete {user_email}")
 def user_delete(user_email):
@ -85,7 +85,7 @@ def user_delete(user_email):


@ui.route('/user/settings', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/usersettings/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/usersettings/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def user_settings(user_email):
    user_email_or_current = user_email or flask_login.current_user.email
@ -109,7 +109,7 @@ def user_settings(user_email):


@ui.route('/user/password', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/password/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/password/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def user_password(user_email):
    user_email_or_current = user_email or flask_login.current_user.email
@ -129,7 +129,7 @@ def user_password(user_email):


@ui.route('/user/forward', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/forward/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/forward/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def user_forward(user_email):
    user_email_or_current = user_email or flask_login.current_user.email
@ -146,7 +146,7 @@ def user_forward(user_email):


@ui.route('/user/reply', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/reply/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/reply/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def user_reply(user_email):
    user_email_or_current = user_email or flask_login.current_user.email