Browse Source

Merge pull request #42 from iledarn/9.0-fix-mailgun

[REF] mailgun: use regular expression in simple security check, don't…
pull/45/merge
Ivan Yelizariev 8 years ago
committed by GitHub
parent
commit
1115c6a4a5
  1. 4
      mailgun/controllers/main.py
  2. 2
      mailgun/models.py

4
mailgun/controllers/main.py

@ -5,6 +5,8 @@ import werkzeug
import email
import requests
import simplejson
import re
class MailMailgun(http.Controller):
@ -12,7 +14,7 @@ class MailMailgun(http.Controller):
def mailgun_notify(self, **kw):
# mailgun notification in json format
message_url = kw.get('message-url')
if not message_url.startswith('https://api.mailgun.net/'):
if not re.match('^https://[^/]*api.mailgun.net/', message_url):
# simple security check failed
raise Exception('wrong message-url')
request.env['mail.thread'].sudo().mailgun_fetch_message(message_url)

2
mailgun/models.py

@ -18,7 +18,7 @@ class MailThread(models.AbstractModel):
@api.model
def mailgun_fetch_message(self, message_url):
api_key = self.env['ir.config_parameter'].sudo().get_param('mailgun.apikey')
res = requests.get(message_url, headers={'Accept': 'message/rfc2822'}, auth=('api', api_key))
res = requests.get(message_url, headers={'Accept': 'message/rfc2822'}, auth=('api', api_key), verify=False)
self.message_process(False, res.json().get('body-mime'))

Loading…
Cancel
Save