0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-27 01:44:10 -05:00
forgejo/routers/private/mail.go
KN4CK3R 21dd4a252a
Prevent multiple To recipients (#22566)
Change the mailer interface to prevent leaking of possible hidden email
addresses when sending to multiple recipients.

Co-authored-by: Gusted <williamzijl7@hotmail.com>
2023-01-22 08:23:52 -06:00

91 lines
2.1 KiB
Go

// Copyright 2020 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package private
import (
stdCtx "context"
"fmt"
"net/http"
"strconv"
"code.gitea.io/gitea/models/db"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/private"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/services/mailer"
)
// SendEmail pushes messages to mail queue
//
// It doesn't wait before each message will be processed
func SendEmail(ctx *context.PrivateContext) {
if setting.MailService == nil {
ctx.JSON(http.StatusInternalServerError, private.Response{
Err: "Mail service is not enabled.",
})
return
}
var mail private.Email
rd := ctx.Req.Body
defer rd.Close()
if err := json.NewDecoder(rd).Decode(&mail); err != nil {
log.Error("%v", err)
ctx.JSON(http.StatusInternalServerError, private.Response{
Err: err.Error(),
})
return
}
var emails []string
if len(mail.To) > 0 {
for _, uname := range mail.To {
user, err := user_model.GetUserByName(ctx, uname)
if err != nil {
err := fmt.Sprintf("Failed to get user information: %v", err)
log.Error(err)
ctx.JSON(http.StatusInternalServerError, private.Response{
Err: err,
})
return
}
if user != nil && len(user.Email) > 0 {
emails = append(emails, user.Email)
}
}
} else {
err := db.Iterate(ctx, nil, func(ctx stdCtx.Context, user *user_model.User) error {
if len(user.Email) > 0 && user.IsActive {
emails = append(emails, user.Email)
}
return nil
})
if err != nil {
err := fmt.Sprintf("Failed to find users: %v", err)
log.Error(err)
ctx.JSON(http.StatusInternalServerError, private.Response{
Err: err,
})
return
}
}
sendEmail(ctx, mail.Subject, mail.Message, emails)
}
func sendEmail(ctx *context.PrivateContext, subject, message string, to []string) {
for _, email := range to {
msg := mailer.NewMessage(email, subject, message)
mailer.SendAsync(msg)
}
wasSent := strconv.Itoa(len(to))
ctx.PlainText(http.StatusOK, wasSent)
}