Merge pull request #796 from hoellen/fix-username-chars-1

harden email address validation and fix routes with user_email
2025-01-28 03:56:43 +02:00 · 2019-01-04 20:43:06 +00:00 · 2019-01-04 20:43:06 +00:00 · 4733f15c0c
commit 4733f15c0c
parent d515353f34 8fe1e788b3
9 changed files with 25 additions and 25 deletions
--- a/core/admin/mailu/internal/views/dovecot.py
+++ b/core/admin/mailu/internal/views/dovecot.py
@ -6,7 +6,7 @@ import flask
 import socket
 import os

-@internal.route("/dovecot/passdb/<user_email>")
+@internal.route("/dovecot/passdb/<path:user_email>")
 def dovecot_passdb_dict(user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
    allow_nets = []
@ -20,7 +20,7 @@ def dovecot_passdb_dict(user_email):
    })


-@internal.route("/dovecot/userdb/<user_email>")
+@internal.route("/dovecot/userdb/<path:user_email>")
 def dovecot_userdb_dict(user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
    return flask.jsonify({
@ -28,7 +28,7 @@ def dovecot_userdb_dict(user_email):
    })


-@internal.route("/dovecot/quota/<ns>/<user_email>", methods=["POST"])
+@internal.route("/dovecot/quota/<ns>/<path:user_email>", methods=["POST"])
 def dovecot_quota(ns, user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
    if ns == "storage":
@ -37,12 +37,12 @@ def dovecot_quota(ns, user_email):
    return flask.jsonify(None)


-@internal.route("/dovecot/sieve/name/<script>/<user_email>")
+@internal.route("/dovecot/sieve/name/<script>/<path:user_email>")
 def dovecot_sieve_name(script, user_email):
    return flask.jsonify(script)


-@internal.route("/dovecot/sieve/data/default/<user_email>")
+@internal.route("/dovecot/sieve/data/default/<path:user_email>")
 def dovecot_sieve_data(user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
    return flask.jsonify(flask.render_template("default.sieve", user=user))
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@ -12,13 +12,13 @@ def postfix_mailbox_domain(domain_name):
    return flask.jsonify(domain.name)


-@internal.route("/postfix/mailbox/<email>")
+@internal.route("/postfix/mailbox/<path:email>")
 def postfix_mailbox_map(email):
    user = models.User.query.get(email) or flask.abort(404)
    return flask.jsonify(user.email)


-@internal.route("/postfix/alias/<alias>")
+@internal.route("/postfix/alias/<path:alias>")
 def postfix_alias_map(alias):
    localpart, domain_name = models.Email.resolve_domain(alias)
    if localpart is None:
@ -27,7 +27,7 @@ def postfix_alias_map(alias):
    return flask.jsonify(",".join(destination)) if destination else flask.abort(404)


-@internal.route("/postfix/transport/<email>")
+@internal.route("/postfix/transport/<path:email>")
 def postfix_transport(email):
    if email == '*':
        return flask.abort(404)
@ -36,7 +36,7 @@ def postfix_transport(email):
    return flask.jsonify("smtp:[{}]".format(relay.smtp))


-@internal.route("/postfix/sender/login/<sender>")
+@internal.route("/postfix/sender/login/<path:sender>")
 def postfix_sender_login(sender):
    localpart, domain_name = models.Email.resolve_domain(sender)
    if localpart is None:
@ -45,7 +45,7 @@ def postfix_sender_login(sender):
    return flask.jsonify(",".join(destination)) if destination else flask.abort(404)


-@internal.route("/postfix/sender/access/<sender>")
+@internal.route("/postfix/sender/access/<path:sender>")
 def postfix_sender_access(sender):
    """ Simply reject any sender that pretends to be from a local domain
    """
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@ -6,7 +6,7 @@ import flask_login
 import flask_wtf
 import re

-LOCALPART_REGEX = "^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+$"
+LOCALPART_REGEX = "^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+)*$"

 class DestinationField(fields.SelectMultipleField):
    """ Allow for multiple emails selection from current user choices and
--- a/core/admin/mailu/ui/views/admins.py
+++ b/core/admin/mailu/ui/views/admins.py
@ -33,7 +33,7 @@ def admin_create():
    return flask.render_template('admin/create.html', form=form)


-@ui.route('/admin/delete/<admin>', methods=['GET', 'POST'])
+@ui.route('/admin/delete/<path:admin>', methods=['GET', 'POST'])
@access.global_admin
@access.confirmation_required("delete admin {admin}")
 def admin_delete(admin):
--- a/core/admin/mailu/ui/views/aliases.py
+++ b/core/admin/mailu/ui/views/aliases.py
@ -36,7 +36,7 @@ def alias_create(domain_name):
        domain=domain, form=form)


-@ui.route('/alias/edit/<alias>', methods=['GET', 'POST'])
+@ui.route('/alias/edit/<path:alias>', methods=['GET', 'POST'])
@access.domain_admin(models.Alias, 'alias')
 def alias_edit(alias):
    alias = models.Alias.query.get(alias) or flask.abort(404)
@ -53,7 +53,7 @@ def alias_edit(alias):
        form=form, alias=alias, domain=alias.domain)


-@ui.route('/alias/delete/<alias>', methods=['GET', 'POST'])
+@ui.route('/alias/delete/<path:alias>', methods=['GET', 'POST'])
@access.domain_admin(models.Alias, 'alias')
@access.confirmation_required("delete {alias}")
 def alias_delete(alias):
--- a/core/admin/mailu/ui/views/fetches.py
+++ b/core/admin/mailu/ui/views/fetches.py
@ -6,7 +6,7 @@ import flask_login


@ui.route('/fetch/list', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/fetch/list/<user_email>', methods=['GET'])
+@ui.route('/fetch/list/<path:user_email>', methods=['GET'])
@access.owner(models.User, 'user_email')
 def fetch_list(user_email):
    user_email = user_email or flask_login.current_user.email
@ -15,7 +15,7 @@ def fetch_list(user_email):


@ui.route('/fetch/create', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/fetch/create/<user_email>', methods=['GET', 'POST'])
+@ui.route('/fetch/create/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def fetch_create(user_email):
    user_email = user_email or flask_login.current_user.email
--- a/core/admin/mailu/ui/views/managers.py
+++ b/core/admin/mailu/ui/views/managers.py
@ -38,7 +38,7 @@ def manager_create(domain_name):
        domain=domain, form=form)


-@ui.route('/manager/delete/<domain_name>/<user_email>', methods=['GET', 'POST'])
+@ui.route('/manager/delete/<domain_name>/<path:user_email>', methods=['GET', 'POST'])
@access.confirmation_required("remove manager {user_email}")
@access.domain_admin(models.Domain, 'domain_name')
 def manager_delete(domain_name, user_email):
--- a/core/admin/mailu/ui/views/tokens.py
+++ b/core/admin/mailu/ui/views/tokens.py
@ -9,7 +9,7 @@ import wtforms_components


@ui.route('/token/list', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/token/list/<user_email>', methods=['GET'])
+@ui.route('/token/list/<path:user_email>', methods=['GET'])
@access.owner(models.User, 'user_email')
 def token_list(user_email):
    user_email = user_email or flask_login.current_user.email
@ -18,7 +18,7 @@ def token_list(user_email):


@ui.route('/token/create', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/token/create/<user_email>', methods=['GET', 'POST'])
+@ui.route('/token/create/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def token_create(user_email):
    user_email = user_email or flask_login.current_user.email
--- a/core/admin/mailu/ui/views/users.py
+++ b/core/admin/mailu/ui/views/users.py
@ -43,7 +43,7 @@ def user_create(domain_name):
        domain=domain, form=form)


-@ui.route('/user/edit/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/edit/<path:user_email>', methods=['GET', 'POST'])
@access.domain_admin(models.User, 'user_email')
 def user_edit(user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
@ -71,7 +71,7 @@ def user_edit(user_email):
        domain=user.domain, max_quota_bytes=max_quota_bytes)


-@ui.route('/user/delete/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/delete/<path:user_email>', methods=['GET', 'POST'])
@access.domain_admin(models.User, 'user_email')
@access.confirmation_required("delete {user_email}")
 def user_delete(user_email):
@ -85,7 +85,7 @@ def user_delete(user_email):


@ui.route('/user/settings', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/usersettings/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/usersettings/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def user_settings(user_email):
    user_email_or_current = user_email or flask_login.current_user.email
@ -109,7 +109,7 @@ def user_settings(user_email):


@ui.route('/user/password', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/password/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/password/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def user_password(user_email):
    user_email_or_current = user_email or flask_login.current_user.email
@ -129,7 +129,7 @@ def user_password(user_email):


@ui.route('/user/forward', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/forward/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/forward/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def user_forward(user_email):
    user_email_or_current = user_email or flask_login.current_user.email
@ -146,7 +146,7 @@ def user_forward(user_email):


@ui.route('/user/reply', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/reply/<user_email>', methods=['GET', 'POST'])
+@ui.route('/user/reply/<path:user_email>', methods=['GET', 'POST'])
@access.owner(models.User, 'user_email')
 def user_reply(user_email):
    user_email_or_current = user_email or flask_login.current_user.email