7cda4a36f1
Chore: Allow @ character in message tags & set max length to 100 characters per tag
2026-01-17 11:12:45 +13:00
3108d82e06
Fix: Correctly render default addresses in release modal after settings change ( #594 )
2026-01-10 22:19:18 +13:00
c5c9292863
More reliable handling for default release email editing
2026-01-10 15:56:19 +13:00
6f1f4f34c9
Security: Prevent Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data [CVE-2026-22689]( https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm )
2026-01-10 15:42:14 +13:00
877a9159ce
Delay bootstrap-tags init until after render
2026-01-08 16:23:24 +13:00
c4582889ad
Update default release address wording
2026-01-08 16:20:00 +13:00
392904fd23
Chore: Avoid empty URL query parameter when returning to inbox from message view
2026-01-08 16:03:35 +13:00
f0160c0e29
Feature: Allow default mail addresses to be set when releasing message ( #594 )
2026-01-08 16:03:35 +13:00
f9024d1f77
Chore: Remove webkit warnings about missing template / render functions
2026-01-08 16:03:34 +13:00
3b9b470c09
Security: Restrict screenshot proxy to only support asset links contained in messages [CVE-2026-21859]( https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr )
...
This fix prevents unrestricted network probing via the screenshot proxy by limiting requests to images, fonts and CSS links found within a message, and returns a generic HTTP error to the client when unsupported content types are requested, not found, or otherwise disallowed.
See CWE-918 Server-Side Request Forgery (SSRF)
2026-01-06 15:33:50 +13:00
93088f3361
Chore: Add type assertion for value in imaging assignment
2025-11-09 11:33:51 +13:00
5ad8619893
Fix: Prevent potential information disclosure via indirect expvar library (Prometheus)
...
This is a security fix which prevents potential information disclosure due to a pre-registered HTTP route. The Prometheus client imports the go stdlib expvar, which in turn is auto-registers `/debug/vars` on the default servemux. This fix ensures no default/global routes are inherited via the http library.
2025-10-08 17:32:05 +13:00
99ab38fbba
Chore: Add tooltip to messages nav dropdown
2025-10-08 17:32:05 +13:00
ae65312d02
Chore: Update navbar theme to use data-bs-theme attribute for consistency
2025-09-26 14:50:27 +12:00
0770bd8d19
Chore: Add margin to icons in release and delete buttons for consistent spacing
2025-09-26 14:50:06 +12:00
e2314fb3b9
Chore: UI tweaks to pagination layout for clearer navigation ( #568 )
2025-09-26 14:48:51 +12:00
5a4d13b15a
Security: Prevent integer overflow conversion to uint64
2025-07-25 20:33:27 +12:00
2a7aa33a0a
Fix: Do not check latest release for Prometheus statistics ( #522 )
2025-07-25 20:33:20 +12:00
cce21854b9
Chore: Refactor JS functions and remove unused parameters
2025-07-24 17:27:11 +12:00
f3e3536cdb
Feature: Add ability to generate self-signed (snakeoil) certificates for UI, SMTP and POP3 ( #539 )
2025-07-24 17:02:50 +12:00
75504c7bba
Fix: Support angle brackets for text/plain URLs with spaces ( #535 )
2025-07-18 23:43:05 +12:00
2d1fb7cf14
Chore: Allow unknown href link protocols in HTML view such as myapp:// ( #532 )
2025-07-01 08:01:09 +12:00
e29883fa1c
Chore: Refactor API Swagger definitions and remove unused structs
...
- Removed deprecated `thumbnailParams` struct from `thumbnails.go`.
- Updated `server_test.go` to use an anonymous struct for response unmarshalling.
- Enhanced `swagger.json` with detailed definitions for SendRequest and SendMessageResponse.
- Introduced new `swaggerParams.go` to define Swagger parameters for various API endpoints.
- Created `swaggerResponses.go` to define Swagger responses for API endpoints.
- Cleaned up unused JSON error message definitions and consolidated error responses.
- Improved documentation for Chaos triggers and web UI configuration responses.
2025-06-22 15:25:22 +12:00
f99d9ecf69
Chore: Refactor error handling and resource management across multiple files (golangci-lint)
...
- Updated error handling to use the error return value for resource closures in tests and functions, ensuring proper error reporting.
- Replaced direct calls to `Close()` with deferred functions that handle errors gracefully.
- Improved readability by using `strings.ReplaceAll` instead of `strings.Replace` for string manipulation.
- Enhanced network connection handling by adding default cases for unsupported network types.
- Updated HTTP response handling to use the appropriate status codes and error messages.
- Removed unused variables and commented-out code to clean up the codebase.
2025-06-22 15:25:21 +12:00
3fff79e29f
Chore: Apply linting to all JavaScript/Vue files with eslint & prettier
2025-06-20 23:26:06 +12:00
95e3ef6fca
Feature: Allow version checking to be disabled ( #524 )
2025-06-19 22:29:20 +12:00
4b5ce0afed
Feature: Store username with messages, auto-tag, and UI display ( #521 )
2025-06-18 16:41:04 +12:00
fed20de522
Feature: Add relay config to preserve (keep) original Message-IDs when relaying messages ( #515 )
2025-06-07 11:38:25 +12:00
82d7bdc971
Feature: Add Prometheus exporter ( #505 )
2025-06-06 14:33:49 +12:00
9bfdeb5f7b
Feature: Send API allow separate auth ( #504 )
...
Co-authored-by: Ben Edmunds <ben.edmunds@dotdigital.com >
2025-05-30 08:34:40 +12:00
c5b3edf87d
Fix: Ignore basic auth for OPTIONS requests to API when CORS is set
...
Web browsers do not send authorization headers for preflight requests.
2025-05-30 00:00:05 +12:00
b84b428434
Chore: Add note to swagger docs about API date formats
2025-05-25 09:56:53 +12:00
91409310d7
Chore: Lighten outline-secondary buttons in dark mode
2025-05-23 23:19:54 +12:00
74c6a0a434
Chore: Switch from unnecessary float64 to uint64 API values for App Information, message & attachment sizes
2025-05-20 16:51:02 +12:00
a1c2690c44
Use text-muted instead of text-secondary
2025-05-18 10:31:39 +12:00
bf5609a39b
Chore: Adjust UI margin for side navigation
2025-05-18 10:31:36 +12:00
4ed5011a8f
Chore: Tweak UI to improve contrast between read & unread messages
2025-05-18 10:31:28 +12:00
d0716b4995
Feature: Add option to hide the "Delete all" button in web UI ( #495 )
2025-05-17 12:28:35 +12:00
e1a6904eca
Chore: Upgrade to jhillyerd/enmime/v2
2025-05-17 00:34:29 +12:00
bc200c663f
Docs: Add Message ListUnsubscribe to swagger / API documentation ( #494 )
2025-05-13 19:27:27 +12:00
05375fed7a
Feature: Display unread count in app badge ( #485 )
...
* Display unread count in app badge
* Rate limit app badge updates
2025-04-30 17:34:46 +12:00
1b95f2fe39
Remove breaking swagger example
2025-04-06 19:08:31 +12:00
1400936760
Feature: Add ability to mark all search results as read ( #476 )
2025-04-06 18:11:37 +12:00
04289091bc
Chore: Improve error message for From header parsing failure ( #477 )
2025-04-05 15:51:29 +13:00
25671ba94f
Chore: Use Message-ID header instead of Message-Id when generating new IDs (RFC 5322)
2025-03-13 17:34:10 +13:00
39886cf57c
Fix: Prevent cropping bottom of label characters in web UI ( #457 )
2025-03-08 22:49:07 +13:00
9a1f3a6bb5
Chore: Replace PrismJS with highlight.js for HTML syntax highlighting
2025-03-05 17:14:06 +13:00
876d0eb5da
Feature: Add configuration to explicitly disable HTTP compression in web UI/API ( #448 )
2025-03-01 22:51:22 +13:00
aafd2a20d9
Chore: Minor speed & memory improvements when storing messages
2025-03-01 22:51:21 +13:00
703e981a8b
Allow limit=0 in URL parameters
2025-02-15 15:22:16 +13:00
Ralph Slooten
Ben Edmunds
Matt Currie