Nulo/gitea
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Activity
This repository has been archived on 2023-02-01. You can view files and clone it, but cannot push or open issues or pull requests.
gitea/routers/private/mail.go
Yarden Shoham 6068978c42
Prevent multiple To recipients (#22566) (#22569) 
Backport #22566

Change the mailer interface to prevent the leaking of possible hidden
email addresses when sending to multiple recipients.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Gusted <williamzijl7@hotmail.com>
2023-01-22 11:37:26 -06:00

92 lines
2.2 KiB
Go
Raw Permalink Blame History

// Copyright 2020 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package private
import (
"fmt"
"net/http"
"strconv"
"code.gitea.io/gitea/models/db"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/private"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/services/mailer"
)
// SendEmail pushes messages to mail queue
//
// It doesn't wait before each message will be processed
func SendEmail(ctx *context.PrivateContext) {
if setting.MailService == nil {
ctx.JSON(http.StatusInternalServerError, private.Response{
Err: "Mail service is not enabled.",
})
return
}
var mail private.Email
rd := ctx.Req.Body
defer rd.Close()
if err := json.NewDecoder(rd).Decode(&mail); err != nil {
log.Error("%v", err)
ctx.JSON(http.StatusInternalServerError, private.Response{
Err: err.Error(),
})
return
}
var emails []string
if len(mail.To) > 0 {
for _, uname := range mail.To {
user, err := user_model.GetUserByName(ctx, uname)
if err != nil {
err := fmt.Sprintf("Failed to get user information: %v", err)
log.Error(err)
ctx.JSON(http.StatusInternalServerError, private.Response{
Err: err,
})
return
}
if user != nil && len(user.Email) > 0 {
emails = append(emails, user.Email)
}
}
} else {
err := db.IterateObjects(ctx, func(user *user_model.User) error {
if len(user.Email) > 0 && user.IsActive {
emails = append(emails, user.Email)
}
return nil
})
if err != nil {
err := fmt.Sprintf("Failed to find users: %v", err)
log.Error(err)
ctx.JSON(http.StatusInternalServerError, private.Response{
Err: err,
})
return
}
}
sendEmail(ctx, mail.Subject, mail.Message, emails)
}
func sendEmail(ctx *context.PrivateContext, subject, message string, to []string) {
for _, email := range to {
msg := mailer.NewMessage(email, subject, message)
mailer.SendAsync(msg)
}
wasSent := strconv.Itoa(len(to))
ctx.PlainText(http.StatusOK, wasSent)
}
Reference in a new issue View git blame Copy permalink