Security Issue (Mail-Spoofing) #821, #708

app/controllers/dmsf_controller.rb

@@ -369,13 +369,15 @@ class DmsfController < ApplicationController
         :folders => selected_folders,
         :files => selected_files,
         :subject => "#{@project.name} #{l(:label_dmsf_file_plural).downcase}",
-        :from => "#{User.current.name} <#{User.current.mail}>"
+        :from => Setting.plugin_redmine_dmsf['dmsf_documents_email_from'].blank? ?
+          "#{User.current.name} <#{User.current.mail}>" : Setting.plugin_redmine_dmsf['dmsf_documents_email_from'],
+        :reply_to => Setting.plugin_redmine_dmsf['dmsf_documents_email_reply_to']
       }
       render :action => 'email_entries'
     rescue Exception
       raise
     ensure
-      zip.close
+      zip.close if zip
     end
   end
 
@@ -397,7 +399,7 @@ class DmsfController < ApplicationController
     rescue Exception
       raise
     ensure
-      zip.close
+      zip.close if zip
     end
   end
 

app/models/dmsf_mailer.rb

@@ -64,7 +64,7 @@ class DmsfMailer < Mailer
       attachments['Documents.zip'] = { :content_type => 'application/zip', :content => zipped_content_data }
     end
     mail :to => email_params[:to], :cc => email_params[:cc],
-      :subject => email_params[:subject], 'From' => email_params[:from]
+      :subject => email_params[:subject], 'From' => email_params[:from], 'Reply-To' => email_params[:reply_to]
   end
 
   def workflow_notification(user, workflow, revision, subject_id, text1_id, text2_id, notice = nil)

app/views/dmsf/email_entries.html.erb

@@ -33,6 +33,7 @@
   <%= hidden_field_tag('email[folders]', @email_params[:folders].to_json) %>
   <%= hidden_field_tag('email[files]', @email_params[:files].to_json) %>
   <%= hidden_field_tag('email[from]', @email_params[:from]) %>
+  <%= hidden_field_tag('email[reply_to]', @email_params[:reply_to]) %>
   <div class="box tabular">
     <p>
       <%= label_tag('', l(:label_email_from)) %>      
@@ -53,9 +54,11 @@
     <p>
       <%= label_tag('', l(:label_email_documents)) %>
       <span>
-        <%= link_to 'Documents.zip', download_email_entries_path(:id => @project, :folder_id => @folder, :path => @email_params[:zipped_content]) %>       
+        <%= link_to 'Documents.zip', download_email_entries_path(:id => @project, :folder_id => @folder,
+                                                                 :path => @email_params[:zipped_content]) %>
         <%= l(:label_or) %>
-        <%= check_box_tag('email[links_only]', 1, false, :onchange => "$('#public_url').toggle()") %> <%= l(:label_links_only) %>
+        <%= check_box_tag('email[links_only]', 1, Setting.plugin_redmine_dmsf['dmsf_documents_email_links_only'],
+                          :onchange => "$('#public_url').toggle()") %> <%= l(:label_links_only) %>
         <%= render(:partial => 'dmsf_public_urls/new') %>
       </span>
     </p>
@@ -67,4 +70,4 @@
   <p><%= submit_tag(l(:label_email_send)) %></p>
 <% end %>
 
-<%= wikitoolbar_for 'email_body' %>
+<%= wikitoolbar_for 'email_body' %>

app/views/settings/_dmsf_settings.html.erb

@@ -164,7 +164,7 @@
   <%= check_box_tag('settings[dmsf_act_as_attachable]', true, @settings['dmsf_act_as_attachable']) %>
   <em class="info">
     <%= l(:note_dmsf_act_as_attachable) %><br/>
-    <%= l(:label_default)%>: <%= l(:general_text_No)%>
+    <%= l(:label_default) %>: <%= l(:general_text_No) %>
   </em>
 </p>
 
@@ -175,6 +175,35 @@
 
 <%= render(:partial => 'settings/dmsf_columns', :locals => { :selected_columns => @settings['dmsf_columns'] }) %>
 
+<hr/>
+<em class="info">
+  <%= l(:heading_send_documents_by_email) %>
+</em>
+
+<p>
+  <%= content_tag(:label, l(:label_email_from_override)) %>
+  <%= text_field_tag 'settings[dmsf_documents_email_from]', @settings['dmsf_documents_email_from'], :size => 128 %>
+  <em class="info">
+    <%= l(:label_default) %>: <%= l(:text_email_from_override) %>
+  </em>
+</p>
+
+<p>
+  <%= content_tag(:label, l(:label_email_reply_to)) %>
+  <%= text_field_tag 'settings[dmsf_documents_email_reply_to]', @settings['dmsf_documents_email_reply_to'], :size => 128 %>
+  <em class="info">
+    <%= l(:label_default) %>: <%= "''" %>
+  </em>
+</p>
+
+<p>
+  <%= content_tag(:label, l(:label_links_only).capitalize) %>
+  <%= check_box_tag('settings[dmsf_documents_email_links_only]', true, @settings['dmsf_documents_email_links_only']) %>
+  <em class="info">
+    <%= l(:label_default) %>: <%= l(:general_text_No) %>
+  </em>
+</p>
+
 <hr/>
 <em class="info">
   <%= l(:field_label_dmsf_workflow) %>

config/locales/cs.yml

@@ -366,6 +366,10 @@ cs:
   error_file_tmpdir_does_not_exist: "Adresář pro dočasné soubory neexistuje a nemůže být vytvořen"
   error_tmpfile_can_not_be_created: "Nelze vytvořit soubor v adresáři pro dočasné soubory"
 
+  label_email_from_override: Od
+  text_email_from_override: aktuálně přihlášený uživatel
+  label_email_reply_to: Odpovědět komu
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/de.yml

@@ -363,6 +363,10 @@ de:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/en.yml

@@ -366,6 +366,10 @@ en:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/es.yml

@@ -366,6 +366,10 @@ es:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/fr.yml

@@ -366,6 +366,10 @@ fr:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/hu.yml

@@ -366,6 +366,10 @@ hu:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/it.yml

@@ -366,6 +366,10 @@ it: # Italian strings thx 2 Matteo Arceci!
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/ja.yml

@@ -366,6 +366,10 @@ ja:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/pl.yml

@@ -366,6 +366,10 @@ pl:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/pt-BR.yml

@@ -366,6 +366,10 @@ pt-BR:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/ru.yml

@@ -366,6 +366,10 @@ ru:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/sl.yml

@@ -366,6 +366,10 @@ sl:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/zh-TW.yml

@@ -366,6 +366,10 @@ zh-TW:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

config/locales/zh.yml

@@ -366,6 +366,10 @@ zh:
   error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created"
   error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory"
 
+  label_email_from_override: From
+  text_email_from_override: The user currently logged in
+  label_email_reply_to: Reply-to
+
   easy_pages:
     modules:
       dmsf_locked_documents: My locked documents

init.rb

@@ -56,7 +56,10 @@ Redmine::Plugin.register :redmine_dmsf do
               'dmsf_act_as_attachable' => false,
               'dmsf_show_system_folders' => false,
               'dmsf_webdav_caching_enabled' => false,
-              'dmsf_tmpdir' => Dir.tmpdir
+              'dmsf_tmpdir' => Dir.tmpdir,
+              'dmsf_documents_email_from' => '',
+              'dmsf_documents_email_reply_to' => '',
+              'dmsf_documents_email_links_only' => false
             }
 
   # Uncomment to remove the original Documents from searching (replaced with DMSF)

lib/dmsf_zip.rb

@@ -26,20 +26,19 @@ class DmsfZip
   attr_reader :files
 
   def initialize()
-    @zip = DmsfHelper.temp_dir.join(DmsfHelper.temp_filename('dmsf_zip.zip'))
-    @zip_file = Zip::OutputStream.new(@zip.path)
+    @zip_path = DmsfHelper.temp_dir.join(DmsfHelper.temp_filename('dmsf_zip.zip'))
+    @zip_file = Zip::OutputStream.new(@zip_path)
     @files = []
     @folders = []
   end
 
   def finish
     @zip_file.close
-    @zip.path
+    @zip_path
   end
 
   def close
     @zip_file.close
-    @zip.close
   end
 
   def add_file(file, member, root_path = nil)