Commit 9563cdb5 authored by paz's avatar paz

Validate arguments given to X-RESEND.

parent 8115c801
......@@ -23,6 +23,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
* X-SUBSCRIBE now handles the combination of space-separated fingerprint and additional arguments (admin-flag, delivery-enabled-flag) correctly.
* Fixed broken encoding of certain character-sequences in encrypted+signed messages.
* X-LIST-KEYS again works without arguments.
* X-RESEND now checks the given arguments to be valid email-addresses, and blocks resending if any one is found invalid.
## [3.1.2] / 2017-07-13
......
......@@ -25,6 +25,10 @@ module Schleuder
end
def self.resend_it_cc(arguments, mail, encrypted_only)
if ! resend_recipients_valid?(mail, arguments)
return false
end
recip_map = map_with_keys(mail, arguments, encrypted_only)
# Only continue if all recipients are still here.
......@@ -38,6 +42,10 @@ module Schleuder
end
def self.resend_it(arguments, mail, encrypted_only)
if ! resend_recipients_valid?(mail, arguments)
return false
end
recip_map = map_with_keys(mail, arguments, encrypted_only)
resent_stati = recip_map.map do |email, key|
......@@ -150,5 +158,16 @@ module Schleuder
'resent_cc'
end
end
def self.resend_recipients_valid?(mail, recipients)
all_valid = true
Array(recipients).each do |address|
if ! address.match(Conf::EMAIL_REGEXP)
mail.add_pseudoheader(:error, I18n.t("plugins.resend.invalid_recipient", address: address))
all_valid = false
end
end
all_valid
end
end
end
......@@ -97,6 +97,7 @@ de:
not_resent_no_keys: Resending an <%{email}> fehlgeschlagen (%{num_keys} Schlüssel gefunden und unverschlüsseltes Senden verboten).
encrypted_to: Verschlüsselt an
unencrypted_to: Unverschlüsselt an
invalid_recipient: "Ungültige Emailadresse für resend: %{address}"
subscription_management:
forbidden: "Fehler: Du bist nicht berechtigt, das Abo für %{email} zu löschen."
is_not_subscribed: Kein Abo für %{email} gefunden.
......
......@@ -97,6 +97,7 @@ en:
not_resent_no_keys: Resending to <%{email}> failed (%{num_keys} keys found and unencrypted sending disallowed).
encrypted_to: Encrypted to
unencrypted_to: Unencrypted to
invalid_recipient: "Invalid email-address for resending: %{address}"
subscription_management:
forbidden: "Error: You're not allowed to unsubscribe %{email}."
is_not_subscribed: "%{email} is not subscribed."
......
......@@ -1330,6 +1330,43 @@ describe "user sends keyword" do
teardown_list_and_mailer(list)
end
it "x-resend with invalid recipient" do
list = create(:list)
list.subscribe("schleuder@example.org", '59C71FB38AEE22E091C78259D06350440F759BD3', true)
ENV['GNUPGHOME'] = list.listdir
mail = Mail.new
mail.to = list.email
mail.from = list.admins.first.email
gpg_opts = {
encrypt: true,
keys: {list.email => list.fingerprint},
sign: true,
sign_as: list.admins.first.fingerprint
}
mail.gpg(gpg_opts)
content_body = "Hello again!\n"
invalid_recipient = '`ls`bla'
mail.body = "x-listname: #{list.email}\nX-resend: #{invalid_recipient}\n#{content_body}"
mail.deliver
encrypted_mail = Mail::TestMailer.deliveries.first
Mail::TestMailer.deliveries.clear
begin
Schleuder::Runner.new().run(encrypted_mail.to_s, list.email)
rescue SystemExit
end
delivered_emails = Mail::TestMailer.deliveries
raw = delivered_emails.first
message = Mail.create_message_to_list(raw.to_s, list.email, list).setup
expect(delivered_emails.size).to eql(1)
expect(message.to_s).not_to include("Resent: Unencrypted to someone@example.org")
expect(message.to_s).to include("Error: Invalid resend-address: #{invalid_recipient}")
teardown_list_and_mailer(list)
end
it "x-sign-this with inline text" do
list = create(:list)
list.subscribe("schleuder@example.org", '59C71FB38AEE22E091C78259D06350440F759BD3', true)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment