external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-29 04:17:07 +00:00
Code Issues Releases Wiki Activity

[Issue #1159] Remove any +tag name in email alias before checking privileges

Browse Source
This commit is contained in:
Git Repository 2017-05-23 17:21:46 -07:00
parent 8234a5a9f4
commit 0505adf576
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
management/mailconfig.py
View File

@ -433,11 +433,13 @@ def add_mail_alias(address, forwards_to, permitted_senders, env, update_if_exist
for line in forwards_to.split("\n"): for line in forwards_to.split("\n"):
for email in line.split(","): for email in line.split(","):
email = email.strip() email = email.strip()
# Strip any +tag from email alias and check privileges
privileged_email = re.sub(r"(?=\+)[^@]*(?=@)",'',email)
if email == "": continue if email == "": continue
email = sanitize_idn_email_address(email) # Unicode => IDNA email = sanitize_idn_email_address(email) # Unicode => IDNA
if not validate_email(email): if not validate_email(email):
return ("Invalid receiver email address (%s)." % email, 400) return ("Invalid receiver email address (%s)." % email, 400)
if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(email, env, empty_on_error=True): if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(privileged_email, env, empty_on_error=True):
# Make domain control validation hijacking a little harder to mess up by # Make domain control validation hijacking a little harder to mess up by
# requiring aliases for email addresses typically used in DCV to forward # requiring aliases for email addresses typically used in DCV to forward
# only to accounts that are administrators on this system. # only to accounts that are administrators on this system.