From eb65e5eea0c11b648f5d878320bf5ae101279b63 Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Tue, 7 Nov 2023 14:14:27 +0000 Subject: [PATCH] Add extra server-side validation of setup form values Remove deprecated database_flavor JavaScript functionality Remove statistics question which has never been implemented --- setup/flavors/compose/mailu.env | 3 -- setup/server.py | 28 +++++++++++++++-- setup/static/render.js | 50 +++++++------------------------ setup/templates/steps/config.html | 7 ----- 4 files changed, 36 insertions(+), 52 deletions(-) diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env index cffafe15..61bbc3c5 100644 --- a/setup/flavors/compose/mailu.env +++ b/setup/flavors/compose/mailu.env @@ -39,9 +39,6 @@ AUTH_RATELIMIT_IP={{ auth_ratelimit_ip }}/hour AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day {% endif %} -# Opt-out of statistics, replace with "True" to opt out -DISABLE_STATISTICS={{ disable_statistics or 'False' }} - ################################### # Optional features ################################### diff --git a/setup/server.py b/setup/server.py index 96ce1db3..db473770 100644 --- a/setup/server.py +++ b/setup/server.py @@ -108,18 +108,41 @@ def build_app(path): try: ipaddress.ip_network(data['subnet']) except: - flask.flash('Configured subnet(IPv4) is invalid.', 'error') + flask.flash('Configured subnet(IPv4) is invalid', 'error') valid = False try: ipaddress.ip_network(data['subnet6']) except: - flask.flash('Configured subnet(IPv6) is invalid.', 'error') + flask.flash('Configured subnet(IPv6) is invalid', 'error') valid = False try: data['dns'] = str(ipaddress.IPv4Network(data['subnet'], strict=False)[-2]) except ValueError as err: flask.flash('Invalid configuration: ' + str(err)) valid = False + if data['webmail_type'] != 'none': + if data['webmail_path'] == '': + flask.flash('Webmail path cannot be empty when webmail is enabled', 'error') + valid = False + if data['webmail_path'][0] != '/': + flask.flash('Webmail path must start with a leading slash "/"', 'error') + valid = False + if 'admin_enabled' in data: + if data['admin_enabled'] == 'true': + if data['admin_path'] == '': + flask.flash('Admin path cannot be empty when admin is enabled', 'error') + valid = False + if data['admin_path'][0] != '/': + flask.flash('Admin path must start with a leading slash "/"', 'error') + valid = False + if 'api_enabled' in data: + if (data['api_enabled'] == 'true'): + if data['api_path'] == '' or data['api_token'] == '': + flask.flash('API path and API token cannot be empty when API is enabled', 'error') + valid = False + if data['api_path'][0] != '/': + flask.flash('API path must start with a leading slash "/"', 'error') + valid = False if valid: db.set(data['uid'], json.dumps(data)) return flask.redirect(flask.url_for('.setup', uid=data['uid'])) @@ -131,7 +154,6 @@ def build_app(path): subnet6=random_ipv6_subnet() ) - @prefix_bp.route("/setup/", methods=["GET"]) @root_bp.route("/setup/", methods=["GET"]) def setup(uid): diff --git a/setup/static/render.js b/setup/static/render.js index 2276b19d..5a7e0c56 100644 --- a/setup/static/render.js +++ b/setup/static/render.js @@ -10,17 +10,21 @@ $(document).ready(function() { if ($("#webmail").val() == 'none') { $("#webmail_path").hide(); $("#webmail_path").val(""); + $("#webmail_path").prop('required',false); } else { $("#webmail_path").show(); $("#webmail_path").val("/webmail"); + $("#webmail_path").prop('required',true); } $("#webmail").click(function() { if (this.value == 'none') { $("#webmail_path").hide(); $("#webmail_path").val(""); + $("#webmail_path").prop('required',false); } else { $("#webmail_path").show(); $("#webmail_path").val("/webmail"); + $("#webmail_path").prop('required',true); } }); }); @@ -29,14 +33,17 @@ $(document).ready(function() { if ($('#admin').prop('checked')) { $("#admin_path").show(); $("#admin_path").val("/admin"); + $("#admin_path").prop('required',true); } $("#admin").change(function() { if ($(this).is(":checked")) { $("#admin_path").show(); $("#admin_path").val("/admin"); + $("#admin_path").prop('required',true); } else { $("#admin_path").hide(); $("#admin_path").val(""); + $("#admin_path").prop('required',false); } }); }); @@ -44,6 +51,7 @@ $(document).ready(function() { $(document).ready(function() { if ($('#api_enabled').prop('checked')) { $("#api_path").show(); + $("#api_path").prop('required',true); $("#api_path").val("/api") $("#api_token").show(); $("#api_token").prop('required',true); @@ -51,6 +59,7 @@ $(document).ready(function() { $("#api_token_label").show(); } else { $("#api_path").hide(); + $("#api_path").prop('required',false); $("#api_path").val("") $("#api_token").hide(); $("#api_token").prop('required',false); @@ -60,6 +69,7 @@ $(document).ready(function() { $("#api_enabled").change(function() { if ($(this).is(":checked")) { $("#api_path").show(); + $("#api_path").prop('required',true); $("#api_path").val("/api"); $("#api_token").show(); $("#api_token").prop('required',true); @@ -67,6 +77,7 @@ $(document).ready(function() { $("#api_token_label").show(); } else { $("#api_path").hide(); + $("#api_path").prop('required',false); $("#api_path").val("") $("#api_token").hide(); $("#api_token").prop('required',false); @@ -76,45 +87,6 @@ $(document).ready(function() { }); }); -$(document).ready(function() { - if ($("#database").val() == 'sqlite') { - $("#external_db").hide(); - } else { - $("#external_db").show(); - } - - $("#webmail").click(function() { - if (this.value == 'roundcube') { - $("#db_flavor_rc_sel").show(); - } else { - $("#db_flavor_rc_sel").hide(); - $("#roundcube_db_user,#roundcube_db_pw,#roundcube_db_url,#roundcube_db_name").prop('required',false); - } - }); - - $("#database").click(function() { - if (this.value == 'sqlite') { - $("#external_db").hide(); - $("#db_user,#db_pw,#db_url,#db_name").prop('required',false); - $("#roundcube_db_user,#roundcube_db_pw,#roundcube_db_url,#roundcube_db_name").prop('required',false); - } else { - $("#external_db").show(); - $("#db_user,#db_pw,#db_url,#db_name").prop('required',true); - } - }); - - $("#database_rc").click(function() { - if (this.value == 'sqlite'){ - $("#roundcube_external_db").hide(); - $("#roundcube_db_user,#roundcube_db_pw,#roundcube_db_url,#roundcube_db_name").prop('required',false); - } - else if ($("#webmail").val() == 'roundcube') { - $("#roundcube_external_db").show(); - $("#roundcube_db_user,#roundcube_db_pw,#roundcube_db_url,#roundcube_db_name").prop('required',true); - } - }); -}); - $(document).ready(function() { if ($('#enable_ipv6').prop('checked')) { $("#ipv6").show(); diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html index c1a5ff43..d314c40b 100644 --- a/setup/templates/steps/config.html +++ b/setup/templates/steps/config.html @@ -58,13 +58,6 @@ Or in plain English: if receivers start to classify your mail as spam, this post

-
- -
-