diff --git a/CHANGELOG b/CHANGELOG
index 3aa8f68..efa0d5b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ Revision history for Lufi
- 🌐 Update translations
- 🔒 Fix XSS where using zip feature (#254)
- 🔒 Fix unauthorized manipulations of invitations (#254)
+ - 🔒 Detect schemeless URL in mail (#254)
0.05.14 2021-06-16
- 🔧 Set default morbo port to 3000 (as it should have stay)
diff --git a/lib/Lufi/Controller/Mail.pm b/lib/Lufi/Controller/Mail.pm
index c7a5508..595fdd8 100644
--- a/lib/Lufi/Controller/Mail.pm
+++ b/lib/Lufi/Controller/Mail.pm
@@ -5,6 +5,7 @@ use Mojo::JSON qw(decode_json);
use Mojo::URL;
use Email::Valid;
use URI::Find;
+use URI::Find::Schemeless;
sub render_mail {
my $c = shift;
@@ -39,7 +40,7 @@ sub send_mail {
my ($uri, $orig_uri) = @_;
$uri = Mojo::URL->new($uri);
if ($uri->host ne $base_url->to_abs->host && $uri->host ne $fixed_url->to_abs->host) {
- $msg .= $c->l('You can\'t add URLs that are not related to this instance.').'
';
+ $msg .= $c->l('You can\'t add URLs that are not related to this instance (%1).', $orig_uri).'
';
} elsif (index($orig_uri, $fixed_url->to_abs->to_string) > -1) {
$at_least_one_instance_url = 1;
}
@@ -48,7 +49,20 @@ sub send_mail {
$finder->find(\$body);
$finder->find(\$subject);
- $c->debug($at_least_one_instance_url);
+ # Schemeless URI beginning with www, which are interpreted by mailers 🤦
+ $finder = URI::Find::Schemeless->new(sub {
+ my ($uri, $orig_uri) = @_;
+ return $orig_uri if ($uri !~ m/www/);
+
+ $uri = Mojo::URL->new($uri);
+ if ($uri->host ne $base_url->to_abs->host && $uri->host ne $fixed_url->to_abs->host) {
+ $msg .= $c->l('You can\'t add URLs that are not related to this instance (%1).', $orig_uri).'
';
+ }
+ return $orig_uri;
+ });
+ $finder->find(\$body);
+ $finder->find(\$subject);
+
unless ($at_least_one_instance_url) {
$msg .= $c->l('The body of the mail must contain at least one URL pointing to a file hosted on this instance.').'
';
}
diff --git a/themes/default/lib/Lufi/I18N/en.po b/themes/default/lib/Lufi/I18N/en.po
index d1a2e5b..3a9b7ba 100644
--- a/themes/default/lib/Lufi/I18N/en.po
+++ b/themes/default/lib/Lufi/I18N/en.po
@@ -98,7 +98,7 @@ msgstr "Asking for file part XX1 of %1"
msgid "Back to homepage"
msgstr "Back to homepage"
-#: lib/Lufi/Controller/Mail.pm:25
+#: lib/Lufi/Controller/Mail.pm:26
msgid "Bad CSRF token!"
msgstr "Bad CSRF token!"
@@ -564,7 +564,7 @@ msgstr "The URLs of your files have been sent by email to %1."
msgid "The administrator can only see the file's name, its size and its mimetype (what kind of file it is: video, text, etc.)."
msgstr "The administrator can only see the file's name, its size and its mimetype (what kind of file it is: video, text, etc.)."
-#: lib/Lufi/Controller/Mail.pm:53
+#: lib/Lufi/Controller/Mail.pm:67
msgid "The body of the mail must contain at least one URL pointing to a file hosted on this instance."
msgstr "The body of the mail must contain at least one URL pointing to a file hosted on this instance."
@@ -572,11 +572,11 @@ msgstr "The body of the mail must contain at least one URL pointing to a file ho
msgid "The data has been successfully imported."
msgstr "The data has been successfully imported."
-#: lib/Lufi/Controller/Mail.pm:73
+#: lib/Lufi/Controller/Mail.pm:87
msgid "The email body can't be empty."
msgstr "The email body can't be empty."
-#: lib/Lufi/Controller/Mail.pm:72
+#: lib/Lufi/Controller/Mail.pm:86
msgid "The email subject can't be empty."
msgstr "The email subject can't be empty."
@@ -594,7 +594,7 @@ msgid "The files uploaded on a Lufi instance are encrypted before the upload to
msgstr "The files uploaded on a Lufi instance are encrypted before the upload to the server: the administrator of the server can not see the file's content."
#. (join(', ', @bad)
-#: lib/Lufi/Controller/Mail.pm:68
+#: lib/Lufi/Controller/Mail.pm:82
msgid "The following email addresses are not valid: %1"
msgstr "The following email addresses are not valid: %1"
@@ -642,7 +642,7 @@ msgstr "The link(s) of your file(s) will automatically be sent by mail to %1 (%2
msgid "The links of your file(s) will automatically be sent by mail to %1."
msgstr "The link(s) of your file(s) will automatically be sent by mail to %1."
-#: lib/Lufi/Controller/Mail.pm:97
+#: lib/Lufi/Controller/Mail.pm:111
msgid "The mail has been sent."
msgstr "The mail has been sent."
@@ -746,7 +746,12 @@ msgstr "You can invite someone to send you files through this Lufi instance even
msgid "You can see the list of your files by clicking on the \"My files\" link at the top right of this page."
msgstr "You can see the list of your files by clicking on the \"My files\" link at the top right of this page."
-#: lib/Lufi/Controller/Mail.pm:42
+#. ($orig_uri)
+#: lib/Lufi/Controller/Mail.pm:43 lib/Lufi/Controller/Mail.pm:59
+msgid "You can't add URLs that are not related to this instance (%1)."
+msgstr "You can't add URLs that are not related to this instance (%1)."
+
+#:
msgid "You can't add URLs that are not related to this instance."
msgstr "You can't add URLs that are not related to this instance."
@@ -770,7 +775,7 @@ msgstr "You have attempted to leave this page. The upload will be canceled. Are
msgid "You have been successfully logged out."
msgstr "You have been successfully logged out."
-#: lib/Lufi/Controller/Mail.pm:71
+#: lib/Lufi/Controller/Mail.pm:85
msgid "You must give email addresses."
msgstr "You must give email addresses."
diff --git a/themes/default/lib/Lufi/I18N/lufi.pot b/themes/default/lib/Lufi/I18N/lufi.pot
index 2daa2e3..04229a3 100644
--- a/themes/default/lib/Lufi/I18N/lufi.pot
+++ b/themes/default/lib/Lufi/I18N/lufi.pot
@@ -98,7 +98,7 @@ msgstr ""
msgid "Back to homepage"
msgstr ""
-#: lib/Lufi/Controller/Mail.pm:25
+#: lib/Lufi/Controller/Mail.pm:26
msgid "Bad CSRF token!"
msgstr ""
@@ -564,7 +564,7 @@ msgstr ""
msgid "The administrator can only see the file's name, its size and its mimetype (what kind of file it is: video, text, etc.)."
msgstr ""
-#: lib/Lufi/Controller/Mail.pm:53
+#: lib/Lufi/Controller/Mail.pm:67
msgid "The body of the mail must contain at least one URL pointing to a file hosted on this instance."
msgstr ""
@@ -572,11 +572,11 @@ msgstr ""
msgid "The data has been successfully imported."
msgstr ""
-#: lib/Lufi/Controller/Mail.pm:73
+#: lib/Lufi/Controller/Mail.pm:87
msgid "The email body can't be empty."
msgstr ""
-#: lib/Lufi/Controller/Mail.pm:72
+#: lib/Lufi/Controller/Mail.pm:86
msgid "The email subject can't be empty."
msgstr ""
@@ -594,7 +594,7 @@ msgid "The files uploaded on a Lufi instance are encrypted before the upload to
msgstr ""
#. (join(', ', @bad)
-#: lib/Lufi/Controller/Mail.pm:68
+#: lib/Lufi/Controller/Mail.pm:82
msgid "The following email addresses are not valid: %1"
msgstr ""
@@ -642,7 +642,7 @@ msgstr ""
msgid "The links of your file(s) will automatically be sent by mail to %1."
msgstr ""
-#: lib/Lufi/Controller/Mail.pm:97
+#: lib/Lufi/Controller/Mail.pm:111
msgid "The mail has been sent."
msgstr ""
@@ -746,8 +746,9 @@ msgstr ""
msgid "You can see the list of your files by clicking on the \"My files\" link at the top right of this page."
msgstr ""
-#: lib/Lufi/Controller/Mail.pm:42
-msgid "You can't add URLs that are not related to this instance."
+#. ($orig_uri)
+#: lib/Lufi/Controller/Mail.pm:43 lib/Lufi/Controller/Mail.pm:59
+msgid "You can't add URLs that are not related to this instance (%1)."
msgstr ""
#: themes/default/templates/about.html.ep:8
@@ -770,7 +771,7 @@ msgstr ""
msgid "You have been successfully logged out."
msgstr ""
-#: lib/Lufi/Controller/Mail.pm:71
+#: lib/Lufi/Controller/Mail.pm:85
msgid "You must give email addresses."
msgstr ""