mailinabox

ミラー元 https://github.com/mail-in-a-box/mailinabox.git 前回の同期 2026-03-18 18:07:22 +01:00

ファイル

Joshua Tauberer a14b17794b simplify how munin-cgi-graph is called to reduce the attack surface area

Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.

Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.

The vulnerability was created by 6d6f3ea391.

See #914.

This is the v0.19b hotfix commit.

2016-08-20 11:47:44 -04:00

templates

some minor tweaks to the new users/aliases API documentation

2016-08-08 07:28:10 -04:00

auth.py

the control panel auth hmac message should also include the user's password so that resetting a password in the database forces that user to log in to the control panel again; also use a sha256 hmac

2015-06-06 12:38:19 +00:00

backup.py

Added a pre-backup script to complement post-backup script.

2016-05-11 10:11:16 +02:00

csr_country_codes.tsv

drop the CSR_COUNTRY setting and ask within the control panel