From 9fb59173fc98f8666bbde674be286809da0ab610 Mon Sep 17 00:00:00 2001 From: Luc Didry Date: Oct 28 2018 13:41:29 +0000 Subject: Fix #129 — Add constraints on mail sending to prevent spam sending --- diff --git a/CHANGELOG b/CHANGELOG index 35b9382..a33825c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -19,6 +19,8 @@ Revision history for Lufi - Display max size on upload page - Add CSRF token challenge on login - Add CSRF token challenge on logout + - Add constraints on mail sending to prevent spam sending (not perfect, but + should be good enough) 0.02.2 2017-09-18 - Fix cron tasks bug diff --git a/cpanfile b/cpanfile index fe52888..93e8979 100644 --- a/cpanfile +++ b/cpanfile @@ -20,6 +20,7 @@ requires 'Data::Entropy'; requires 'Crypt::SaltedHash'; requires 'Data::Validate::URI'; requires 'Term::ProgressBar'; +requires 'URI::Find'; # Mojolicious optional deps feature 'optional_deps' => sub { diff --git a/cpanfile.snapshot b/cpanfile.snapshot index 9b5427a..d922399 100644 --- a/cpanfile.snapshot +++ b/cpanfile.snapshot @@ -1749,6 +1749,16 @@ DISTRIBUTIONS strict 0 utf8 0 warnings 0 + URI-Find-20160806 + pathname: M/MS/MSCHWERN/URI-Find-20160806.tar.gz + provides: + URI::Find 20160806 + URI::Find::Schemeless 20160806 + requirements: + Module::Build 0.30 + Test::More 0.88 + URI 1.60 + perl v5.8.8 URI-Nested-0.10 pathname: D/DW/DWHEELER/URI-Nested-0.10.tar.gz provides: diff --git a/lib/Lufi/Controller/Mail.pm b/lib/Lufi/Controller/Mail.pm index bbfbfbe..2dbb466 100644 --- a/lib/Lufi/Controller/Mail.pm +++ b/lib/Lufi/Controller/Mail.pm @@ -1,13 +1,17 @@ # vim:set sw=4 ts=4 sts=4 ft=perl expandtab: package Lufi::Controller::Mail; use Mojo::Base 'Mojolicious::Controller'; -use Email::Valid; use Mojo::JSON qw(decode_json); +use Mojo::URL; +use Email::Valid; +use URI::Find; sub render_mail { my $c = shift; my $links = (defined($c->param('links'))) ? decode_json($c->param('links')) : []; + $c->redirect_to('/') unless (scalar(@{$links})); + $c->render( template => 'mail', links => $links @@ -20,7 +24,34 @@ sub send_mail { my $validation = $c->validation; return $c->render(text => $c->l('Bad CSRF token!'), status => 403) if $validation->csrf_protect->has_error('csrf_token'); - my $emails = $c->param('emails'); + my $emails = $c->param('emails'); + my $body = $c->param('body'); + my $subject = $c->param('subject'); + my $msg = ''; + + my $base_url = $c->req->url->to_abs->path('/r/'); + my $fixed_url = $base_url; + if ($c->config('fixed_domain')) { + $fixed_url->host($c->config('fixed_domain')); + } + my $at_least_one_instance_url = 0; + my $finder = URI::Find->new(sub { + my ($uri, $orig_uri) = @_; + $uri = Mojo::URL->new($uri); + if ($uri->host ne $base_url->to_abs->host && $uri->host ne $fixed_url->to_abs->host) { + $msg .= $c->l('You can\'t add URLs that are not related to this instance.').'
'; + } elsif (index($orig_uri, $fixed_url->to_abs->to_string) > -1) { + $at_least_one_instance_url = 1; + } + return $orig_uri; + }); + $finder->find(\$body); + $finder->find(\$subject); + + $c->debug($at_least_one_instance_url); + unless ($at_least_one_instance_url) { + $msg .= $c->l('The body of the mail must contain at least one URL pointing to a file hosted on this instance.').'
'; + } $emails =~ s/ //g; my @a = split(',', $emails); @@ -33,23 +64,23 @@ sub send_mail { } } - my $msg = ''; if (scalar(@bad)) { - $msg .= $c->l('The following email addresses are not valid: %1', join(', ', @bad))."\n"; + $msg .= $c->l('The following email addresses are not valid: %1', join(', ', @bad)).'
'; } - $msg .= $c->l('You must give email addresses.')."\n" unless (scalar(@a)); - $msg .= $c->l('The email subject can\'t be empty.')."\n" unless ($c->param('subject')); - $msg .= $c->l('The email body can\'t be empty.')."\n" unless ($c->param('body')); + $msg .= $c->l('You must give email addresses.').'
' unless (scalar(@a)); + $msg .= $c->l('The email subject can\'t be empty.').'
' unless ($subject); + $msg .= $c->l('The email body can\'t be empty.').'
' unless ($body); if ($msg) { return $c->render( template => 'mail', msg => $msg, + links => [], values => { emails => $emails, - subject => $c->param('subject'), - body => $c->param('body') + subject => $subject, + body => $body } ) } @@ -57,8 +88,8 @@ sub send_mail { $c->mail( from => $c->config('mail_sender'), bcc => $emails, - subject => $c->param('subject'), - data => $c->param('body') + subject => $subject, + data => $body ); return $c->render( diff --git a/themes/default/lib/Lufi/I18N/ca.po b/themes/default/lib/Lufi/I18N/ca.po index 4480115..bcb0661 100644 --- a/themes/default/lib/Lufi/I18N/ca.po +++ b/themes/default/lib/Lufi/I18N/ca.po @@ -56,6 +56,10 @@ msgstr "Quant a" msgid "Add a password to file(s)" msgstr "" +#: themes/default/templates/mail.html.ep:16 +msgid "Adding URLs not related to this Lufi instance to the mail body or subject is prohibited." +msgstr "" + #: themes/default/templates/about.html.ep:18 msgid "As Lufi is a free software licensed under of the terms of the AGPLv3, you can install it on you own server. Have a look on the Wiki for the procedure." msgstr "Com que Lufi és programari lliure, autoritzat sota els termes de l'AGPLv3, el podeu instal·lar al vostre propi servidor. Pel que fa a com fer-ho, feu un cop d'ull al Wiki." @@ -69,7 +73,7 @@ msgstr "Demanem la part XX1 de %1 del fitxer" msgid "Back to homepage" msgstr "Retorna a la pàgina d'inici" -#: lib/Lufi/Controller/Mail.pm:21 +#: lib/Lufi/Controller/Mail.pm:25 msgid "Bad CSRF token!" msgstr "Mal testimoni CSRF!" @@ -89,7 +93,7 @@ msgstr "Premeu per obrir la selecció de fitxer." msgid "Close" msgstr "Tanca" -#: themes/default/templates/mail.html.ep:22 +#: themes/default/templates/mail.html.ep:23 msgid "Comma-separated email addresses" msgstr "Adreces de correu electrònic separades per comes" @@ -153,15 +157,15 @@ msgstr "Arrossegueu i deixeu anar fitxers a l'àrea apropiada o useu el sistema msgid "Drop files here" msgstr "Deixeu anar aquí fitxers." -#: themes/default/templates/mail.html.ep:38 +#: themes/default/templates/mail.html.ep:39 msgid "Email body" msgstr "Cos del correu electrònic" -#: themes/default/templates/mail.html.ep:30 +#: themes/default/templates/mail.html.ep:31 msgid "Email subject" msgstr "Assumpte del correu electrònic" -#: themes/default/templates/mail.html.ep:24 themes/default/templates/mail.html.ep:26 +#: themes/default/templates/mail.html.ep:25 themes/default/templates/mail.html.ep:27 msgid "Emails" msgstr "correus electrònics" @@ -205,10 +209,6 @@ msgstr "Nom de fitxer" msgid "Files deleted at first download" msgstr "" -#: themes/default/templates/mail.html.ep:46 -msgid "Free field" -msgstr "" - #: themes/default/templates/partial/render.js.ep:8 msgid "Get the file" msgstr "Obté el fitxer" @@ -221,7 +221,7 @@ msgstr "Obteniu el codi font al AGPLv3, you can install it on you own server. Have a look on the Wiki for the procedure." msgstr "" @@ -66,7 +70,7 @@ msgstr "" msgid "Back to homepage" msgstr "" -#: lib/Lufi/Controller/Mail.pm:21 +#: lib/Lufi/Controller/Mail.pm:25 msgid "Bad CSRF token!" msgstr "" @@ -86,7 +90,7 @@ msgstr "" msgid "Close" msgstr "" -#: themes/default/templates/mail.html.ep:22 +#: themes/default/templates/mail.html.ep:23 msgid "Comma-separated email addresses" msgstr "" @@ -150,15 +154,15 @@ msgstr "" msgid "Drop files here" msgstr "" -#: themes/default/templates/mail.html.ep:38 +#: themes/default/templates/mail.html.ep:39 msgid "Email body" msgstr "" -#: themes/default/templates/mail.html.ep:30 +#: themes/default/templates/mail.html.ep:31 msgid "Email subject" msgstr "" -#: themes/default/templates/mail.html.ep:24 themes/default/templates/mail.html.ep:26 +#: themes/default/templates/mail.html.ep:25 themes/default/templates/mail.html.ep:27 msgid "Emails" msgstr "" @@ -202,10 +206,6 @@ msgstr "" msgid "Files deleted at first download" msgstr "" -#: themes/default/templates/mail.html.ep:46 -msgid "Free field" -msgstr "" - #: themes/default/templates/partial/render.js.ep:8 msgid "Get the file" msgstr "" @@ -218,7 +218,7 @@ msgstr "" msgid "Hello,\\n\\nHere's some files I want to share with you:\\n" msgstr "" -#: themes/default/templates/mail.html.ep:34 +#: themes/default/templates/mail.html.ep:35 msgid "Here's some files" msgstr "" @@ -344,11 +344,11 @@ msgstr "" msgid "Send all links by email" msgstr "" -#: themes/default/templates/mail.html.ep:53 +#: themes/default/templates/mail.html.ep:46 msgid "Send with this server" msgstr "" -#: themes/default/templates/mail.html.ep:54 +#: themes/default/templates/mail.html.ep:47 msgid "Send with your own mail software" msgstr "" @@ -377,15 +377,19 @@ msgstr "" msgid "The administrator can only see the file's name, its size and its mimetype (what kind of file it is: video, text, etc.)." msgstr "" +#: lib/Lufi/Controller/Mail.pm:53 +msgid "The body of the mail must contain at least one URL pointing to a file hosted on this instance." +msgstr "" + #: themes/default/templates/partial/files.js.ep:11 msgid "The data has been successfully imported." msgstr "" -#: lib/Lufi/Controller/Mail.pm:43 +#: lib/Lufi/Controller/Mail.pm:73 msgid "The email body can't be empty." msgstr "" -#: lib/Lufi/Controller/Mail.pm:42 +#: lib/Lufi/Controller/Mail.pm:72 msgid "The email subject can't be empty." msgstr "" @@ -398,7 +402,7 @@ msgid "The files uploaded on a Lufi instance are encrypted before the upload to msgstr "" #. (join(', ', @bad) -#: lib/Lufi/Controller/Mail.pm:38 +#: lib/Lufi/Controller/Mail.pm:68 msgid "The following email addresses are not valid: %1" msgstr "" @@ -406,7 +410,7 @@ msgstr "" msgid "The link(s) has been copied to your clipboard" msgstr "" -#: lib/Lufi/Controller/Mail.pm:66 +#: lib/Lufi/Controller/Mail.pm:97 msgid "The mail has been sent." msgstr "" @@ -473,6 +477,10 @@ msgstr "" msgid "You can see the list of your files by clicking on the \"My files\" link at the top right of this page." msgstr "" +#: lib/Lufi/Controller/Mail.pm:42 +msgid "You can't add URLs that are not related to this instance." +msgstr "" + #: themes/default/templates/about.html.ep:8 msgid "You don't need to register yourself to upload files but be aware that, for legal reasons, your IP address will be stored when you send a file. Don't panic, this is normally the case for all sites on which you send files." msgstr "" @@ -493,7 +501,7 @@ msgstr "" msgid "You have been successfully logged out." msgstr "" -#: lib/Lufi/Controller/Mail.pm:41 +#: lib/Lufi/Controller/Mail.pm:71 msgid "You must give email addresses." msgstr "" diff --git a/themes/default/lib/Lufi/I18N/fr.po b/themes/default/lib/Lufi/I18N/fr.po index 3c8e0cb..2036774 100644 --- a/themes/default/lib/Lufi/I18N/fr.po +++ b/themes/default/lib/Lufi/I18N/fr.po @@ -55,6 +55,10 @@ msgstr "À propos" msgid "Add a password to file(s)" msgstr "Ajouter un mot de passe au(x) fichier(s)" +#: themes/default/templates/mail.html.ep:16 +msgid "Adding URLs not related to this Lufi instance to the mail body or subject is prohibited." +msgstr "L’ajout d’URL non liées à cette instance Lufi au corps ou au sujet du mail est interdit." + #: themes/default/templates/about.html.ep:18 msgid "As Lufi is a free software licensed under of the terms of the AGPLv3, you can install it on you own server. Have a look on the Wiki for the procedure." msgstr "Comme Lufi est un logiciel libre soumis aux termes de la license AGPLv3, vous pouvez l’installer sur votre propre serveur. Veuillez consulter le Wiki pour voir la procédure." @@ -68,13 +72,13 @@ msgstr "Demande de récupération du fragment de fichier XX1 sur %1" msgid "Back to homepage" msgstr "Retour à la page d’accueil" -#: lib/Lufi/Controller/Mail.pm:21 +#: lib/Lufi/Controller/Mail.pm:25 msgid "Bad CSRF token!" msgstr "Mauvais jeton CSRF !" #: lib/Lufi/Controller/Auth.pm:22 lib/Lufi/Controller/Auth.pm:39 msgid "Bad CSRF token." -msgstr "" +msgstr "Jeton CSRF invalide." #: themes/default/templates/partial/render.js.ep:5 msgid "Click here to refresh the page and restart the download." @@ -88,7 +92,7 @@ msgstr "Cliquez pour ouvrir le navigateur de fichiers" msgid "Close" msgstr "Fermer" -#: themes/default/templates/mail.html.ep:22 +#: themes/default/templates/mail.html.ep:23 msgid "Comma-separated email addresses" msgstr "Adresses mails séparées par des virgules" @@ -152,15 +156,15 @@ msgstr "Faites glisser des fichiers dans la zone prévue à cet effet ou sélect msgid "Drop files here" msgstr "Glissez vos fichiers ici" -#: themes/default/templates/mail.html.ep:38 +#: themes/default/templates/mail.html.ep:39 msgid "Email body" msgstr "Corps du mail" -#: themes/default/templates/mail.html.ep:30 +#: themes/default/templates/mail.html.ep:31 msgid "Email subject" msgstr "Sujet du mail" -#: themes/default/templates/mail.html.ep:24 themes/default/templates/mail.html.ep:26 +#: themes/default/templates/mail.html.ep:25 themes/default/templates/mail.html.ep:27 msgid "Emails" msgstr "Mails" @@ -204,10 +208,6 @@ msgstr "Nom du fichier" msgid "Files deleted at first download" msgstr "Fichiers supprimés au premier téléchargement" -#: themes/default/templates/mail.html.ep:46 -msgid "Free field" -msgstr "" - #: themes/default/templates/partial/render.js.ep:8 msgid "Get the file" msgstr "Récupérer le fichier" @@ -220,7 +220,7 @@ msgstr "Récupérez le code source sur AGPLv3, you can install it on you own server. Have a look on the Wiki for the procedure." msgstr "Poiché Lufi è un software libero soggetto ai termini della licenza AGPLv3, potete installarlo sul vostro server. Si consulti Wiki per vedere la procedura." @@ -68,7 +72,7 @@ msgstr "Recupero della porzione del file XX1 su %1" msgid "Back to homepage" msgstr "Ritorna all'homepage" -#: lib/Lufi/Controller/Mail.pm:21 +#: lib/Lufi/Controller/Mail.pm:25 msgid "Bad CSRF token!" msgstr "Token CSRF errato!" @@ -88,7 +92,7 @@ msgstr "Click per aprire il file browser" msgid "Close" msgstr "Chiudi" -#: themes/default/templates/mail.html.ep:22 +#: themes/default/templates/mail.html.ep:23 msgid "Comma-separated email addresses" msgstr "Indirizzi email separati da virgole" @@ -152,15 +156,15 @@ msgstr "Trascinare e lasciare il file nell'are prevista o selezionare i file nel msgid "Drop files here" msgstr "Lasciare i file qui" -#: themes/default/templates/mail.html.ep:38 +#: themes/default/templates/mail.html.ep:39 msgid "Email body" msgstr "Corpo dell'email" -#: themes/default/templates/mail.html.ep:30 +#: themes/default/templates/mail.html.ep:31 msgid "Email subject" msgstr "Oggetto dell'email" -#: themes/default/templates/mail.html.ep:24 themes/default/templates/mail.html.ep:26 +#: themes/default/templates/mail.html.ep:25 themes/default/templates/mail.html.ep:27 msgid "Emails" msgstr "Email" @@ -204,10 +208,6 @@ msgstr "Nome del file" msgid "Files deleted at first download" msgstr "" -#: themes/default/templates/mail.html.ep:46 -msgid "Free field" -msgstr "" - #: themes/default/templates/partial/render.js.ep:8 msgid "Get the file" msgstr "Ottenere il file" @@ -220,7 +220,7 @@ msgstr "Ottenere il codice sorgente su AGPLv3, you can install it on you own server. Have a look on the Wiki for the procedure." msgstr "Aangezien Lufi een gratis software id die gelicentieerd staat onder de voorwaarden van AGPLv3, kan je het installeren op je eigen server. Bekijk Wiki voor de procedure." @@ -55,7 +59,7 @@ msgstr "Deel XX1 van %1 wordt opgehaald" msgid "Back to homepage" msgstr "Terug naar home" -#: lib/Lufi/Controller/Mail.pm:21 +#: lib/Lufi/Controller/Mail.pm:25 msgid "Bad CSRF token!" msgstr "Verkeerde CSRF token!" @@ -75,7 +79,7 @@ msgstr "Klik voor bestandbrowser" msgid "Close" msgstr "Sluiten" -#: themes/default/templates/mail.html.ep:22 +#: themes/default/templates/mail.html.ep:23 msgid "Comma-separated email addresses" msgstr "Komma gescheiden email adressen" @@ -139,15 +143,15 @@ msgstr "Drag and drop bestanden in de daarvoor bestemde locatie of gebruik de tr msgid "Drop files here" msgstr "Sleep bestand(en) naar dit venster" -#: themes/default/templates/mail.html.ep:38 +#: themes/default/templates/mail.html.ep:39 msgid "Email body" msgstr "Email inhoud" -#: themes/default/templates/mail.html.ep:30 +#: themes/default/templates/mail.html.ep:31 msgid "Email subject" msgstr "Onderwerp" -#: themes/default/templates/mail.html.ep:24 themes/default/templates/mail.html.ep:26 +#: themes/default/templates/mail.html.ep:25 themes/default/templates/mail.html.ep:27 msgid "Emails" msgstr "Emails" @@ -191,10 +195,6 @@ msgstr "Bestandsnaam" msgid "Files deleted at first download" msgstr "" -#: themes/default/templates/mail.html.ep:46 -msgid "Free field" -msgstr "" - #: themes/default/templates/partial/render.js.ep:8 msgid "Get the file" msgstr "Download bestand" @@ -207,7 +207,7 @@ msgstr "Krijg de broncode op AGPLv3, you can install it on you own server. Have a look on the Wiki for the procedure." msgstr "Ja que Lufi es un logicial liure somés als tèrmes de la licéncia AGPLv3, podètz l’installar sus vòstre pròpri servidor. Mercés de consultar lo Wiki per veire la procedura." @@ -68,7 +72,7 @@ msgstr "Demanda del tròç XX1 sus %1 del fichièr" msgid "Back to homepage" msgstr "Retorn a la pagina d’acuèlh" -#: lib/Lufi/Controller/Mail.pm:21 +#: lib/Lufi/Controller/Mail.pm:25 msgid "Bad CSRF token!" msgstr "Marrit geton CSRF !" @@ -88,7 +92,7 @@ msgstr "Clicatz per dobrir lo navigador de fichièr" msgid "Close" msgstr "Tampar" -#: themes/default/templates/mail.html.ep:22 +#: themes/default/templates/mail.html.ep:23 msgid "Comma-separated email addresses" msgstr "Adreças de corrièl separadas per de virgulas" @@ -152,15 +156,15 @@ msgstr "Fasètz lisar de fichièrs dins la zòna prevista per aquò far o selecc msgid "Drop files here" msgstr "Lisatz vòstres fichièrs aquí" -#: themes/default/templates/mail.html.ep:38 +#: themes/default/templates/mail.html.ep:39 msgid "Email body" msgstr "Còs del corrièl" -#: themes/default/templates/mail.html.ep:30 +#: themes/default/templates/mail.html.ep:31 msgid "Email subject" msgstr "Subjècte del corrièl" -#: themes/default/templates/mail.html.ep:24 themes/default/templates/mail.html.ep:26 +#: themes/default/templates/mail.html.ep:25 themes/default/templates/mail.html.ep:27 msgid "Emails" msgstr "Corrièl" @@ -204,10 +208,6 @@ msgstr "Nom del fichièr" msgid "Files deleted at first download" msgstr "Fichièr suprimit al primièr telecargament" -#: themes/default/templates/mail.html.ep:46 -msgid "Free field" -msgstr "" - #: themes/default/templates/partial/render.js.ep:8 msgid "Get the file" msgstr "Recuperar lo fichièr" @@ -220,7 +220,7 @@ msgstr "Recuperatz lo còdi font sul AGPLv3, you can install it on you own server. Have a look on the Wiki for the procedure." msgstr "Como Lufi é um programa livre sob os termos da licença AGPLv3, pode instalar-lo no seu prórpio servidor. Para saber mais clique aqui Wiki para ver o procedimento." @@ -69,7 +73,7 @@ msgstr "Pedido de recuperação de um fragmento do ficheiro XX1 de %1" msgid "Back to homepage" msgstr "Voltar à página inicial" -#: lib/Lufi/Controller/Mail.pm:21 +#: lib/Lufi/Controller/Mail.pm:25 msgid "Bad CSRF token!" msgstr "Símbolo errado CSRF !" @@ -89,7 +93,7 @@ msgstr "Clique para abrir o navegador de ficheiros" msgid "Close" msgstr "Fechar" -#: themes/default/templates/mail.html.ep:22 +#: themes/default/templates/mail.html.ep:23 msgid "Comma-separated email addresses" msgstr "Os e-mails devem ser separados por vírgulas" @@ -157,15 +161,15 @@ msgstr "" msgid "Drop files here (max. 4 Gb/file)" msgstr "Deslize os ficheiros aqui (max. 4 Gb/ficheiro)" -#: themes/default/templates/mail.html.ep:38 +#: themes/default/templates/mail.html.ep:39 msgid "Email body" msgstr "Conteúdo do e-mail" -#: themes/default/templates/mail.html.ep:30 +#: themes/default/templates/mail.html.ep:31 msgid "Email subject" msgstr "Assunto do e-mail" -#: themes/default/templates/mail.html.ep:24 themes/default/templates/mail.html.ep:26 +#: themes/default/templates/mail.html.ep:25 themes/default/templates/mail.html.ep:27 msgid "Emails" msgstr "E-mails" @@ -209,10 +213,6 @@ msgstr "Nome do ficheiro" msgid "Files deleted at first download" msgstr "" -#: themes/default/templates/mail.html.ep:46 -msgid "Free field" -msgstr "" - #: themes/default/templates/partial/render.js.ep:8 msgid "Get the file" msgstr "Recuperar o ficheiro" @@ -225,7 +225,7 @@ msgstr "Recupere o código-fonte no
- <%= stash('msg')%> + <%== stash('msg')%>
@@ -13,6 +13,7 @@

<%= l('If you send the mail from this server, the links will be sent to the server, which may lower your privacy protection.') %>

+

<%= l('Adding URLs not related to this Lufi instance to the mail body or subject is prohibited.') %>