Merge pull request #42 from iledarn/9.0-fix-mailgun

[REF] mailgun: use regular expression in simple security check, don't…
8 years ago · 1115c6a4a5
2 changed files with 4 additions and 2 deletions
--- a/mailgun/controllers/main.py
+++ b/mailgun/controllers/main.py
@ -5,6 +5,8 @@ import werkzeug
 import email
 import requests
 import simplejson
+import re
+

 class MailMailgun(http.Controller):

@ -12,7 +14,7 @@ class MailMailgun(http.Controller):
    def mailgun_notify(self, **kw):
        # mailgun notification in json format
        message_url = kw.get('message-url')
-        if not message_url.startswith('https://api.mailgun.net/'):
+        if not re.match('^https://[^/]*api.mailgun.net/', message_url):
            # simple security check failed
            raise Exception('wrong message-url')
        request.env['mail.thread'].sudo().mailgun_fetch_message(message_url)
--- a/mailgun/models.py
+++ b/mailgun/models.py
@ -18,7 +18,7 @@ class MailThread(models.AbstractModel):
    @api.model
    def mailgun_fetch_message(self, message_url):
        api_key = self.env['ir.config_parameter'].sudo().get_param('mailgun.apikey')
-        res = requests.get(message_url, headers={'Accept': 'message/rfc2822'}, auth=('api', api_key))
+        res = requests.get(message_url, headers={'Accept': 'message/rfc2822'}, auth=('api', api_key), verify=False)
        self.message_process(False, res.json().get('body-mime'))