From 81b066397b7eb9756e45237380bc9f890a68bf5e Mon Sep 17 00:00:00 2001 From: Karel Picman Date: Tue, 23 Jan 2018 12:12:55 +0100 Subject: [PATCH] Security Issue (Mail-Spoofing) #821, #708 --- app/controllers/dmsf_controller.rb | 8 +++--- app/models/dmsf_mailer.rb | 2 +- app/views/dmsf/email_entries.html.erb | 9 ++++--- app/views/settings/_dmsf_settings.html.erb | 31 +++++++++++++++++++++- config/locales/cs.yml | 4 +++ config/locales/de.yml | 4 +++ config/locales/en.yml | 4 +++ config/locales/es.yml | 4 +++ config/locales/fr.yml | 4 +++ config/locales/hu.yml | 4 +++ config/locales/it.yml | 4 +++ config/locales/ja.yml | 4 +++ config/locales/pl.yml | 4 +++ config/locales/pt-BR.yml | 4 +++ config/locales/ru.yml | 4 +++ config/locales/sl.yml | 4 +++ config/locales/zh-TW.yml | 4 +++ config/locales/zh.yml | 4 +++ init.rb | 5 +++- lib/dmsf_zip.rb | 7 +++-- 20 files changed, 105 insertions(+), 13 deletions(-) diff --git a/app/controllers/dmsf_controller.rb b/app/controllers/dmsf_controller.rb index c4d25037..01cb01af 100644 --- a/app/controllers/dmsf_controller.rb +++ b/app/controllers/dmsf_controller.rb @@ -369,13 +369,15 @@ class DmsfController < ApplicationController :folders => selected_folders, :files => selected_files, :subject => "#{@project.name} #{l(:label_dmsf_file_plural).downcase}", - :from => "#{User.current.name} <#{User.current.mail}>" + :from => Setting.plugin_redmine_dmsf['dmsf_documents_email_from'].blank? ? + "#{User.current.name} <#{User.current.mail}>" : Setting.plugin_redmine_dmsf['dmsf_documents_email_from'], + :reply_to => Setting.plugin_redmine_dmsf['dmsf_documents_email_reply_to'] } render :action => 'email_entries' rescue Exception raise ensure - zip.close + zip.close if zip end end @@ -397,7 +399,7 @@ class DmsfController < ApplicationController rescue Exception raise ensure - zip.close + zip.close if zip end end diff --git a/app/models/dmsf_mailer.rb b/app/models/dmsf_mailer.rb index 044b141b..c9d3c88d 100644 --- a/app/models/dmsf_mailer.rb +++ b/app/models/dmsf_mailer.rb @@ -64,7 +64,7 @@ class DmsfMailer < Mailer attachments['Documents.zip'] = { :content_type => 'application/zip', :content => zipped_content_data } end mail :to => email_params[:to], :cc => email_params[:cc], - :subject => email_params[:subject], 'From' => email_params[:from] + :subject => email_params[:subject], 'From' => email_params[:from], 'Reply-To' => email_params[:reply_to] end def workflow_notification(user, workflow, revision, subject_id, text1_id, text2_id, notice = nil) diff --git a/app/views/dmsf/email_entries.html.erb b/app/views/dmsf/email_entries.html.erb index ceffc0df..0ae1bcbe 100644 --- a/app/views/dmsf/email_entries.html.erb +++ b/app/views/dmsf/email_entries.html.erb @@ -33,6 +33,7 @@ <%= hidden_field_tag('email[folders]', @email_params[:folders].to_json) %> <%= hidden_field_tag('email[files]', @email_params[:files].to_json) %> <%= hidden_field_tag('email[from]', @email_params[:from]) %> + <%= hidden_field_tag('email[reply_to]', @email_params[:reply_to]) %>

<%= label_tag('', l(:label_email_from)) %> @@ -53,9 +54,11 @@

<%= label_tag('', l(:label_email_documents)) %> - <%= link_to 'Documents.zip', download_email_entries_path(:id => @project, :folder_id => @folder, :path => @email_params[:zipped_content]) %> + <%= link_to 'Documents.zip', download_email_entries_path(:id => @project, :folder_id => @folder, + :path => @email_params[:zipped_content]) %> <%= l(:label_or) %> - <%= check_box_tag('email[links_only]', 1, false, :onchange => "$('#public_url').toggle()") %> <%= l(:label_links_only) %> + <%= check_box_tag('email[links_only]', 1, Setting.plugin_redmine_dmsf['dmsf_documents_email_links_only'], + :onchange => "$('#public_url').toggle()") %> <%= l(:label_links_only) %> <%= render(:partial => 'dmsf_public_urls/new') %>

@@ -67,4 +70,4 @@

<%= submit_tag(l(:label_email_send)) %>

<% end %> -<%= wikitoolbar_for 'email_body' %> \ No newline at end of file +<%= wikitoolbar_for 'email_body' %> diff --git a/app/views/settings/_dmsf_settings.html.erb b/app/views/settings/_dmsf_settings.html.erb index 970748c9..7ac36bda 100644 --- a/app/views/settings/_dmsf_settings.html.erb +++ b/app/views/settings/_dmsf_settings.html.erb @@ -164,7 +164,7 @@ <%= check_box_tag('settings[dmsf_act_as_attachable]', true, @settings['dmsf_act_as_attachable']) %> <%= l(:note_dmsf_act_as_attachable) %>
- <%= l(:label_default)%>: <%= l(:general_text_No)%> + <%= l(:label_default) %>: <%= l(:general_text_No) %>

@@ -175,6 +175,35 @@ <%= render(:partial => 'settings/dmsf_columns', :locals => { :selected_columns => @settings['dmsf_columns'] }) %> +
+ + <%= l(:heading_send_documents_by_email) %> + + +

+ <%= content_tag(:label, l(:label_email_from_override)) %> + <%= text_field_tag 'settings[dmsf_documents_email_from]', @settings['dmsf_documents_email_from'], :size => 128 %> + + <%= l(:label_default) %>: <%= l(:text_email_from_override) %> + +

+ +

+ <%= content_tag(:label, l(:label_email_reply_to)) %> + <%= text_field_tag 'settings[dmsf_documents_email_reply_to]', @settings['dmsf_documents_email_reply_to'], :size => 128 %> + + <%= l(:label_default) %>: <%= "''" %> + +

+ +

+ <%= content_tag(:label, l(:label_links_only).capitalize) %> + <%= check_box_tag('settings[dmsf_documents_email_links_only]', true, @settings['dmsf_documents_email_links_only']) %> + + <%= l(:label_default) %>: <%= l(:general_text_No) %> + +

+
<%= l(:field_label_dmsf_workflow) %> diff --git a/config/locales/cs.yml b/config/locales/cs.yml index 7efb3c9e..3c54c9cf 100644 --- a/config/locales/cs.yml +++ b/config/locales/cs.yml @@ -366,6 +366,10 @@ cs: error_file_tmpdir_does_not_exist: "Adresář pro dočasné soubory neexistuje a nemůže být vytvořen" error_tmpfile_can_not_be_created: "Nelze vytvořit soubor v adresáři pro dočasné soubory" + label_email_from_override: Od + text_email_from_override: aktuálně přihlášený uživatel + label_email_reply_to: Odpovědět komu + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/de.yml b/config/locales/de.yml index 4817514e..1d2328f6 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -363,6 +363,10 @@ de: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/en.yml b/config/locales/en.yml index 0f3b8d1b..87f01cd1 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -366,6 +366,10 @@ en: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/es.yml b/config/locales/es.yml index 6902e514..e8d78c4c 100644 --- a/config/locales/es.yml +++ b/config/locales/es.yml @@ -366,6 +366,10 @@ es: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/fr.yml b/config/locales/fr.yml index a733a5eb..6b0aea85 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -366,6 +366,10 @@ fr: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/hu.yml b/config/locales/hu.yml index 638b9cbb..f26fd205 100644 --- a/config/locales/hu.yml +++ b/config/locales/hu.yml @@ -366,6 +366,10 @@ hu: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/it.yml b/config/locales/it.yml index e85a0db4..d92bd5a1 100644 --- a/config/locales/it.yml +++ b/config/locales/it.yml @@ -366,6 +366,10 @@ it: # Italian strings thx 2 Matteo Arceci! error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/ja.yml b/config/locales/ja.yml index b1aab635..77d43d37 100644 --- a/config/locales/ja.yml +++ b/config/locales/ja.yml @@ -366,6 +366,10 @@ ja: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/pl.yml b/config/locales/pl.yml index 2a6a289d..a84c2704 100644 --- a/config/locales/pl.yml +++ b/config/locales/pl.yml @@ -366,6 +366,10 @@ pl: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml index b7456fa9..2db80a38 100644 --- a/config/locales/pt-BR.yml +++ b/config/locales/pt-BR.yml @@ -366,6 +366,10 @@ pt-BR: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/ru.yml b/config/locales/ru.yml index f566c5af..9e1ddcb0 100644 --- a/config/locales/ru.yml +++ b/config/locales/ru.yml @@ -366,6 +366,10 @@ ru: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/sl.yml b/config/locales/sl.yml index b16fcc49..d0689bbf 100644 --- a/config/locales/sl.yml +++ b/config/locales/sl.yml @@ -366,6 +366,10 @@ sl: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/zh-TW.yml b/config/locales/zh-TW.yml index 3a961980..a6c35fe5 100644 --- a/config/locales/zh-TW.yml +++ b/config/locales/zh-TW.yml @@ -366,6 +366,10 @@ zh-TW: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/config/locales/zh.yml b/config/locales/zh.yml index 30599ae1..fb3550e3 100644 --- a/config/locales/zh.yml +++ b/config/locales/zh.yml @@ -366,6 +366,10 @@ zh: error_file_tmpdir_does_not_exist: "Temporary file path doesn't exist and can't be created" error_tmpfile_can_not_be_created: "Files can't be created in temporary file path directory" + label_email_from_override: From + text_email_from_override: The user currently logged in + label_email_reply_to: Reply-to + easy_pages: modules: dmsf_locked_documents: My locked documents diff --git a/init.rb b/init.rb index a5701848..bde50654 100644 --- a/init.rb +++ b/init.rb @@ -56,7 +56,10 @@ Redmine::Plugin.register :redmine_dmsf do 'dmsf_act_as_attachable' => false, 'dmsf_show_system_folders' => false, 'dmsf_webdav_caching_enabled' => false, - 'dmsf_tmpdir' => Dir.tmpdir + 'dmsf_tmpdir' => Dir.tmpdir, + 'dmsf_documents_email_from' => '', + 'dmsf_documents_email_reply_to' => '', + 'dmsf_documents_email_links_only' => false } # Uncomment to remove the original Documents from searching (replaced with DMSF) diff --git a/lib/dmsf_zip.rb b/lib/dmsf_zip.rb index 83aeed04..cddc0525 100644 --- a/lib/dmsf_zip.rb +++ b/lib/dmsf_zip.rb @@ -26,20 +26,19 @@ class DmsfZip attr_reader :files def initialize() - @zip = DmsfHelper.temp_dir.join(DmsfHelper.temp_filename('dmsf_zip.zip')) - @zip_file = Zip::OutputStream.new(@zip.path) + @zip_path = DmsfHelper.temp_dir.join(DmsfHelper.temp_filename('dmsf_zip.zip')) + @zip_file = Zip::OutputStream.new(@zip_path) @files = [] @folders = [] end def finish @zip_file.close - @zip.path + @zip_path end def close @zip_file.close - @zip.close end def add_file(file, member, root_path = nil)