Reject setting RFC non-compliant emission email addresses (#31154).

author Go MAEDA <maeda@farend.jp>

Mon, 26 Aug 2019 04:18:18 +0000 (04:18 +0000)

committer Go MAEDA <maeda@farend.jp>

Mon, 26 Aug 2019 04:18:18 +0000 (04:18 +0000)
author Go MAEDA <maeda@farend.jp>
Mon, 26 Aug 2019 04:18:18 +0000 (04:18 +0000)
committer Go MAEDA <maeda@farend.jp>
Mon, 26 Aug 2019 04:18:18 +0000 (04:18 +0000)
diff --git a/app/models/email_address.rb b/app/models/email_address.rb

index 7f8eef5da02a7a51287a282747040f0b186f1a0c..c3d8e8d413597faa195286bbdec743d2a2a99879 100644 (file)
--- a/app/models/email_address.rb
+++ b/app/models/email_address.rb
@@ -20,6 +20,8 @@
  class EmailAddress < ActiveRecord::Base
    include Redmine::SafeAttributes
  
+  EMAIL_REGEXP = /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
+
    belongs_to :user
  
    after_update :destroy_tokens
@@ -30,7 +32,7 @@ class EmailAddress < ActiveRecord::Base
    after_destroy_commit :deliver_security_notification_destroy
  
    validates_presence_of :address
-  validates_format_of :address, :with => /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i, :allow_blank => true
+  validates_format_of :address, :with => EMAIL_REGEXP, :allow_blank => true
    validates_length_of :address, :maximum => User::MAIL_LENGTH_LIMIT, :allow_nil => true
    validates_uniqueness_of :address, :case_sensitive => false,
      :if => Proc.new {|email| email.address_changed? && email.address.present?}
diff --git a/app/models/setting.rb b/app/models/setting.rb

index b18f8ed89bee5750431a33f1dda97e250ba7a982..9eaaaec33c5cb9a3f71d9d07cb54aa8f155a7e54 100644 (file)
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -166,6 +166,14 @@ class Setting < ActiveRecord::Base
        end
      end
  
+    if settings.key?(:mail_from)
+      begin
+        mail_from = Mail::Address.new(settings[:mail_from])
+        raise unless mail_from.address =~ EmailAddress::EMAIL_REGEXP
+      rescue
+        messages << [:mail_from, l('activerecord.errors.messages.invalid')]
+      end
+    end
      messages
    end
  
diff --git a/test/unit/setting_test.rb b/test/unit/setting_test.rb

index 3d9252adb8fb273c848705a5cabb86e5e155c735..253f3c037b4d324e0653d7bfffb357bc918216cb 100644 (file)
--- a/test/unit/setting_test.rb
+++ b/test/unit/setting_test.rb
@@ -132,4 +132,18 @@ YAML
      Setting.where(:name => 'commit_update_keywords').delete_all
      Setting.clear_cache
    end
+
+  def test_mail_from_format_should_be_validated
+    with_settings :default_language => 'en' do
+      ['[Redmine app] <redmine@example.net>', 'redmine'].each do |invalid_mail_from|
+        errors = Setting.set_all_from_params({:mail_from => invalid_mail_from})
+        assert_includes errors, [:mail_from, 'is invalid']
+      end
+
+      ['Redmine app <redmine@example.net>', 'redmine@example.net', '<redmine@example.net>'].each do |valid_mail_from|
+        errors = Setting.set_all_from_params({:mail_from => valid_mail_from})
+        assert_nil errors
+      end
+    end
+  end
  end
author	Go MAEDA <maeda@farend.jp>
	Mon, 26 Aug 2019 04:18:18 +0000 (04:18 +0000)
committer	Go MAEDA <maeda@farend.jp>
	Mon, 26 Aug 2019 04:18:18 +0000 (04:18 +0000)
app/models/email_address.rb		patch \| blob \| history
app/models/setting.rb		patch \| blob \| history
test/unit/setting_test.rb		patch \| blob \| history