reply issue by email #13585
reply issue by email #13585
Conversation
Signed-off-by: a1012112796 <[email protected]>
a1012112796
changed the title
* try get text content * fix some nits
|
This is not secure and won't work as is since it will let you send an email and post a comment as any user you want since it only checks the from address which can be anything the user wants -- there needs to be unique keys per user that GItea already knows or can calculate in order to verify a message. Github does this that each issue/pull has a unique ID for each user and that is included in the reply-to address in order to verify a comment (which require sub addressing) like Gitlab has a second option that if you can't create random/unique reply to addresses you can put the unique value in side the "References" header which most (but not all) mail programs will include in the reply. |
Ok, Thanks. I see, I not use in-reply-to because many mail service not use the some usefull message in RFC 2822 |
add permission check fix some nits
Codecov Report
@@ Coverage Diff @@
## master #13585 +/- ##
==========================================
- Coverage 41.84% 41.73% -0.12%
==========================================
Files 744 748 +4
Lines 79779 80212 +433
==========================================
+ Hits 33387 33476 +89
- Misses 40874 41211 +337
- Partials 5518 5525 +7
Continue to review full report at Codecov.
|
* master: (252 commits) Issues overview should not show issues from archived repos (go-gitea#13220) Display SVG files as images instead of text (go-gitea#14101) [skip ci] Updated translations via Crowdin Update docs to clarify issues raised in go-gitea#14272 (go-gitea#14318) [skip ci] Updated translations via Crowdin [Refactor] Passwort Hash/Set (go-gitea#14282) Add option to change username to the admin panel (go-gitea#14229) fix mailIssueCommentBatch for pull request (go-gitea#14252) Remove self from MAINTAINERS (go-gitea#14286) Do not reload page after adding comments in Pull Request reviews (go-gitea#13877) Fix session bug when introduce chi (go-gitea#14287) [skip ci] Updated translations via Crowdin Add secure/httpOnly attributes to the lang cookie (go-gitea#9690) (go-gitea#14279) Some code improvements (go-gitea#14266) [skip ci] Updated translations via Crowdin Fix wrong type on hooktask to convert typ from char(16) to varchar(16) (go-gitea#14148) Upgrade XORM links in documentation. (go-gitea#14265) Check permission for the appropriate unit type (go-gitea#14261) Add compliance check for windows to ensure cross platform build (go-gitea#14260) [skip ci] Updated translations via Crowdin ...
* master: Use Request.URL.RequestURI() for fcgi (go-gitea#14312) (go-gitea#14314) Update Link [skip ci] Updated translations via Crowdin Kd/add bountysource (go-gitea#14323)
* master: (27 commits) Use path not filepath in routers/editor (go-gitea#14390) Display error if twofaSecret cannot be retrieved (go-gitea#14372) Check if label template exist first (go-gitea#14384) Allow passcode invalid error to appear (go-gitea#14371) exclude authored PRs from Review Requested filter (go-gitea#14368) Upgrade blevesearch dependency to v2.0.1 (go-gitea#14346) Implement ghost comment mitigation (go-gitea#14349) Add edit, delete and reaction support to code review comments on issue page (go-gitea#14339) Add review requested filter on pull request overview (go-gitea#13701) escape branch names in compare url (go-gitea#14364) label and milestone webhooks on issue/pull creation (go-gitea#14363) Fix middlewares sequences (go-gitea#14354) Sort issue search results by revelance (go-gitea#14353) KanBan: be able to set default board (go-gitea#14147) ...
* master: Add pager to the branches page (go-gitea#14202) Removed invalid form tag (go-gitea#14391) Update back-up restore example for 1.13 changes (go-gitea#14374) It seems vet on windows is unnecessary (go-gitea#14302)
@delvh Signed-off-by: a1012112796 <[email protected]>
models/issue.go
Outdated
| } | ||
|
|
||
| if len(key) > 0 { | ||
| return fmt.Sprintf("%s/%s/%d?%s@%s", issue.Repo.FullName(), path, issue.Index, key, setting.Domain) |
There was a problem hiding this comment.
https://datatracker.ietf.org/doc/html/rfc2392
message-id = url-addr-spec
url-addr-spec = addr-spec ; URL encoding of RFC 822 addr-spec
The key might need to be encoded.
There was a problem hiding this comment.
But this format is too strict to produce a meaningfull messgae, I wonder.
addr-spec = local-part "@" domain ; global address
local-part = word *("." word) ; uninterpreted
; case-preserved
example of this format:
12343@domain
22233.word.123@domain
and github also not use this format:
There was a problem hiding this comment.
An word is either an atom or a quoted string.
https://jkorpela.fi/rfc/822addr.html
Positively speaking, this means that the valid constituents of an atom are the following:
!"#$%&'*+-/
0123456789
=?@
ABCDEFGHIJKLMNOPQRSTUVWXYZ
^_`
abcdefghijklmnopqrstuvwxyz
{|}~
Not that strict.
I mean maybe we need a sanitizer or encoder for such format. Otherwise there may be potential bugs.
| c.Issue.Index, | ||
| c.HashTag(), | ||
| setting.Domain) | ||
| } |
There was a problem hiding this comment.
As above, these Message-ID should follow RFC encoding
services/imap/mail_receiver.go
Outdated
| return nil | ||
| } | ||
|
|
||
| splitLink = strings.SplitN(splitLink[0], "?", 2) |
There was a problem hiding this comment.
Should we use a URL parser?
Codecov Report
@@ Coverage Diff @@
## main #13585 +/- ##
=======================================
Coverage ? 45.29%
=======================================
Files ? 802
Lines ? 89344
Branches ? 0
=======================================
Hits ? 40465
Misses ? 42372
Partials ? 6507
Continue to review full report at Codecov.
|
|
I'm not sure what's the status of this PR, but if subadressing is not available and headers are not preserved, it is always possible to include the token in the title of the email, it is preserved by all clients I guess (at most they will append some texts like "Re") |
TODOs:
view now:
fix #9067