mailinabox

mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2026-03-16 17:47:23 +01:00

Files

Joshua Tauberer 35a360ef0b simplify how munin-cgi-graph is called to reduce the attack surface area

Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.

Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.

2016-08-19 12:42:43 -04:00

templates

Update Bootstrap to 3.3.7 (#909 )

2016-08-15 18:06:12 -04:00

auth.py

the control panel auth hmac message should also include the user's password so that resetting a password in the database forces that user to log in to the control panel again; also use a sha256 hmac

2015-06-06 12:38:19 +00:00

backup.py

Added a pre-backup script to complement post-backup script.

2016-05-11 10:11:16 +02:00

csr_country_codes.tsv

drop the CSR_COUNTRY setting and ask within the control panel