4129 Commits (cef97f78f12aa5c1aae36407dcaea786c05dfa34)
 

Author SHA1 Message Date
Dimitri Huisman 7a36f6bbb9
Use hmac.compare_digest to prevent timing attacks. 2 years ago
Dimitri Huisman 5c9cdfe1de
Introduction of the Mailu RESTful API.
Anything that can be configured in the web administration interface,
can also be configured via the Mailu RESTful API.
See the section Advanced configuration in the configuration reference
for the relevant settings in mailu.env for enabling the API.
(API, WEB_API, API_TOKEN).
2 years ago
Alexander Graf 866ad89dfc
first try at api using flask-restx & marshmallow 2 years ago
Alexander Graf c30944404d
Add "API" flag to config (default: disabled) 2 years ago
bors[bot] e9175da586
Merge #2598
2598: drop privs better r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Without this we may see the following:
```
Initializing database
PHP Deprecated:  Return type of zipdownload_mbox_filter::filter($in, $out, &$consumed, $closing) should either be compatible with php_user_filter::filter($in, $out, &$consumed, bool $closing): int, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /var/www/roundcube/plugins/zipdownload/zipdownload.php on line 405
PHP Fatal error:  [snuffleupagus][0.0.0.0][readonly_exec][drop] Attempted execution of a writable file (/var/www/roundcube/plugins/mailu/mailu.php) in /var/www/roundcube/program/lib/Roundcube/rcube_plugin_api.php on line 204
Fatal error: Please check the Roundcube error log and/or server error logs for more information.
```

This has been confirmed to fix it.

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere 108958cabb drop privs better 2 years ago
bors[bot] 8d2bd6d9ff
Merge #2528
2528: Implement #2510: oletools integration r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

OLETools now flags documents with macros and rejects suspicious ones. We also block executable file extensions by default (but don't perform inspection in archives: you can tell users to zip-up whatever needs sending).

### Related issue(s)
- closes #2510
- closes #2511

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2 years ago
Dimitri Huisman 6d87fa423c
Mention you must restart rspamd for the changes to take effect. 2 years ago
Dimitri Huisman 33497c8e31
Small extra clarification for new documentation 2 years ago
bors[bot] 8461a11ff4
Merge #2588
2588: IMAP folder names may contain characters outside of \w: [a-zA-Z0-9] r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

IMAP folder names may contain characters outside of \w: [a-zA-Z0-9]. Typically it may be subfolders...

I have also simplified the regexp since we strip spaces the line below.

This is used for "external accounts"/fetchmail.

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
bors[bot] caa27ede4b
Merge #2593
2593: Drop postfix rsyslog localhost messages with IPv6 address r=mergify[bot] a=UbiquitousBear

## What type of PR?


Enhancement

## What does this PR do?

### Related issue(s)
#2594


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Shamil Nunhuck <shamil@shamil.co.uk>
2 years ago
Johnson Thiang bd20ef04cc change field type to db.text 2 years ago
Shamil Nunhuck 5264a3070b Added missing towncrier newsfragments 2 years ago
Shamil Nunhuck 7225cb0d3e
Drop rsyslog localhost messages with IPv6 address 2 years ago
bors[bot] 23b09518db
Merge #2591
2591: Add button to mailu-admin in roundcube task menu r=mergify[bot] a=ghostwheel42

## What type of PR?

feature

## What does this PR do?

Adds a button to the roundcube interface. This button gets you back to the admin interface.

### Related issue(s)
- Replaces  #2367


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2 years ago
Alexander Graf 15ba442477
Duh #2 2 years ago
Alexander Graf 5a99ab316d
Duh 2 years ago
Alexander Graf 373488148b
Remove useless style for larry skin 2 years ago
Alexander Graf 36a567c783
Add towncrier 2 years ago
Alexander Graf c38e6aae4e
Add button to mailu-admin in roundcube task menu 2 years ago
Florent Daigniere 6370d03f80 merge snafu 2 years ago
Florent Daigniere ef123f1b53 doh 2 years ago
Florent Daigniere 49d458a0f3 try renaming the file 2 years ago
Florent Daigniere 26858b110a Required for the tests to pass now 2 years ago
Florent Daigniere 6241fbeb78 actually make it optional 2 years ago
Florent Daigniere cea533ae57 Merge remote-tracking branch 'upstream/master' into oletools 2 years ago
Florent Daigniere f04be00798 doc 2 years ago
Florent Daigniere 43bf068be2 Enable admin by default 2 years ago
bors[bot] 4315227215
Merge #2587
2587: fix roundcube/sieve r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Without this snuffleupagus is throwing a tantrum on ini_get(), when saving a sieve filter from roundcube.

```
[17-Dec-2022 13:44:08] WARNING: [pool php] child 21853 said into stderr: "NOTICE: PHP message: PHP Fatal error:  [snuffleupagus][0.0.0.0][disabled_function][drop] Ab
orted execution on call of the function 'ini_get', because its argument '$option' content (suhosin.request.max_vars) matched a rule in /var/www/roundcube/plugins/man
agesieve/lib/Roundcube/rcube_sieve_engine.php on line 532"
```

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere 44c064ff38 make it configurable 2 years ago
Florent Daigniere b70be29403 document 2 years ago
Florent Daigniere 77d770a2d2 doh 2 years ago
bors[bot] 251db0b1af
Merge #2562
2562: Dynamic address resolution everywhere r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Use dynamic address resolution everywhere.
Derive a new key for admin/SECRET_KEY
Cleanup the environment

This should allow restarting containers.

### Related issue(s)
- closes #1341
- closes #1013
- closes #1430

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere df924b0864 doh 2 years ago
Florent Daigniere 0fa239da11 These tests are not required anymore 2 years ago
Florent Daigniere c634b9ac04 IMAP folder names may contain characters outside of \w: [a-zA-Z0-9] 2 years ago
Florent Daigniere 170b12baf0 fix sieve 2 years ago
bors[bot] 79f01c4e33
Merge #2581
2581: fix missing casting to int for SESSION_KEY_BITS r=nextgens a=fastlorenzo

## What type of PR?

bug-fix

## What does this PR do?

This PR adds a missing env var casting for the `SESSION_KEY_BITS` variable.
When trying to provide a different value via env var, the value is passed as a string and then compared to a int.
The following check then throws a cast error: 50c7fa882e/core/admin/mailu/utils.py (L309-L312)

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.


Co-authored-by: fastlorenzo <git@bernardi.be>
2 years ago
bors[bot] 59220ac83b
Merge #2580
2580: Fixed roundcube carddav module r=mergify[bot] a=fastlorenzo

## What type of PR?

bug-fix

## What does this PR do?

This makes the Carddav module of roundcube to work again.

Changes made:
- Add 2 missing packages in the container (`php81-xmlreader` and `php81-xmlwriter`)
- Disable one rule in snuffleupagus that blocked the web request needed from the plugin to interact with carddav



Co-authored-by: fastlorenzo <git@bernardi.be>
2 years ago
fastlorenzo 135207db3e
fix missing casting to int for SESSION_KEY_BITS
Signed-off-by: fastlorenzo <git@bernardi.be>
2 years ago
fastlorenzo 2fa8dcb51d
Fixed roundcube carddav module
Signed-off-by: fastlorenzo <git@bernardi.be>
2 years ago
bors[bot] 50c7fa882e
Merge #2577
2577: Autofocus the login form on /sso/login r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Autofocus the login form on /sso/login

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
bors[bot] f169f81436
Merge #2571
2571: Upgrade to alpine 3.17.0 r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Upgrade to alpine 3.17.0.

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere e42d029c25 normalize booleans 2 years ago
Florent Daigniere ae6af92b1d it's called libretls! 2 years ago
Florent Daigniere b630355d03 Autofocus the login form on /sso/login 2 years ago
Florent Daigniere 4e3874b0c1 Enable dynamic resolution of hostnames 2 years ago
bors[bot] 1a67921b7c
Merge #2576
2576: Add net_bind_service capability for python executable r=mergify[bot] a=fastlorenzo

## What type of PR?

bug-fix

## What does this PR do?

Fixes capabilities needed to bind on privileged port.


Co-authored-by: fastlorenzo <git@bernardi.be>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
2 years ago
Florent Daigniere dfaba5bb17
No need for two commands here 2 years ago
fastlorenzo 0209825277
Add net_bind_service capability for python executable
Signed-off-by: fastlorenzo <git@bernardi.be>
2 years ago