From 1cd822bd75293df431a7aac5aeab2ceef99415cb Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 5 Mar 2021 14:54:17 +0100 Subject: [PATCH] Fix DOS attack on emailings wrappers --- .../modules/mailings/modules_mailings.php | 3 +- htdocs/public/emailing/mailing-read.php | 55 +++++++++++++++---- .../public/emailing/mailing-unsubscribe.php | 25 +++++++-- 3 files changed, 67 insertions(+), 16 deletions(-) diff --git a/htdocs/core/modules/mailings/modules_mailings.php b/htdocs/core/modules/mailings/modules_mailings.php index 5b1530bf02c..8e8c9fe4e4f 100644 --- a/htdocs/core/modules/mailings/modules_mailings.php +++ b/htdocs/core/modules/mailings/modules_mailings.php @@ -158,6 +158,7 @@ class MailingTargets // This can't be abstract as it is used for some method public function addTargetsToDatabase($mailing_id, $cibles) { global $conf; + global $dolibarr_main_instance_unique_id; $this->db->begin(); @@ -182,7 +183,7 @@ class MailingTargets // This can't be abstract as it is used for some method $sql .= "'".$this->db->escape($targetarray['other'])."',"; $sql .= "'".$this->db->escape($targetarray['source_url'])."',"; $sql .= (empty($targetarray['source_id']) ? 'null' : "'".$this->db->escape($targetarray['source_id'])."'").","; - $sql .= "'".$this->db->escape(dol_hash($targetarray['email'].';'.$targetarray['lastname'].';'.$mailing_id.';'.$conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY))."',"; + $sql .= "'".$this->db->escape(dol_hash($dolibarr_main_instance_unique_id.';'.$targetarray['email'].';'.$targetarray['lastname'].';'.$mailing_id.';'.$conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY), 'md5')."',"; $sql .= "'".$this->db->escape($targetarray['source_type'])."')"; dol_syslog(__METHOD__, LOG_DEBUG); $result = $this->db->query($sql); diff --git a/htdocs/public/emailing/mailing-read.php b/htdocs/public/emailing/mailing-read.php index ccbf8f5c1d3..a2b8fcb574a 100644 --- a/htdocs/public/emailing/mailing-read.php +++ b/htdocs/public/emailing/mailing-read.php @@ -53,6 +53,8 @@ function llxFooter() require '../../main.inc.php'; +$mtid = GETPOST('mtid'); +$email = GETPOST('email'); $tag = GETPOST('tag'); $securitykey = GETPOST('securitykey'); @@ -71,23 +73,54 @@ if ($securitykey != $conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY) if (!empty($tag)) { - $statut = '2'; - $sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles SET statut=".$statut." WHERE tag='".$db->escape($tag)."'"; - dol_syslog("public/emailing/mailing-read.php : Mail read : ".$sql, LOG_DEBUG); + dol_syslog("public/emailing/mailing-read.php : Update status of email target and thirdparty for tag ".$tag, LOG_DEBUG); + $sql = "SELECT mc.rowid, mc.email, mc.statut, mc.source_type, mc.source_id, m.entity"; + $sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc, ".MAIN_DB_PREFIX."mailing as m"; + $sql .= " WHERE mc.fk_mailing = m.rowid AND mc.tag='".$db->escape($tag)."'"; + + $resql = $db->query($sql); + if (!$resql) dol_print_error($db); + + $obj = $db->fetch_object($resql); + + if (empty($obj)) { + print 'Email target not valid. Operation canceled.'; + exit; + } + if (empty($obj->email)) { + print 'Email target not valid. Operation canceled.'; + exit; + } + if ($obj->statut == 2) { + print 'Email target already set to read. Operation canceled.'; + exit; + } + // TODO Test that mtid and email match also with the one found from $tag + /* + if ($obj->email != $email) + { + print 'Email does not match tagnot found. No need to unsubscribe.'; + exit; + } + */ + + //Update status of target + $statut = '2'; + $sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles SET statut=".$statut." WHERE id = ".$obj->rowid; $resql = $db->query($sql); //Update status communication of thirdparty prospect - $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=3 WHERE fk_stcomm != -1 AND rowid IN (SELECT source_id FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE tag='".$db->escape($tag)."' AND source_type='thirdparty' AND source_id is not null)"; - dol_syslog("public/emailing/mailing-read.php : Mail read thirdparty : ".$sql, LOG_DEBUG); - - $resql = $db->query($sql); + if ($obj->source_id > 0 && $obj->source_type == 'thirdparty' && $obj->entity) { + $sql = "UPDATE ".MAIN_DB_PREFIX.'societe SET fk_stcomm = 3 WHERE fk_stcomm <> -1 AND entity = '.$obj->entity.' AND rowid = '.$obj->source_id; + $resql = $db->query($sql); + } //Update status communication of contact prospect - $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=3 WHERE fk_stcomm != -1 AND rowid IN (SELECT sc.fk_soc FROM ".MAIN_DB_PREFIX."socpeople AS sc INNER JOIN ".MAIN_DB_PREFIX."mailing_cibles AS mc ON mc.tag = '".$db->escape($tag)."' AND mc.source_type = 'contact' AND mc.source_id = sc.rowid)"; - dol_syslog("public/emailing/mailing-read.php : Mail read contact : ".$sql, LOG_DEBUG); - - $resql = $db->query($sql); + if ($obj->source_id > 0 && $obj->source_type == 'contact' && $obj->entity) { + $sql = "UPDATE ".MAIN_DB_PREFIX.'societe SET fk_stcomm = 3 WHERE fk_stcomm <> -1 AND entity = '.$obj->entity.' AND rowid IN (SELECT sc.fk_soc FROM '.MAIN_DB_PREFIX.'socpeople AS sc WHERE sc.rowid = '.$obj->source_id.')'; + $resql = $db->query($sql); + } } $db->close(); diff --git a/htdocs/public/emailing/mailing-unsubscribe.php b/htdocs/public/emailing/mailing-unsubscribe.php index 0d62545cf57..5e15769a753 100644 --- a/htdocs/public/emailing/mailing-unsubscribe.php +++ b/htdocs/public/emailing/mailing-unsubscribe.php @@ -58,6 +58,8 @@ global $user, $conf, $langs; $langs->loadLangs(array("main", "mails")); +$mtid = GETPOST('mtid'); +$email = GETPOST('email'); $tag = GETPOST('tag'); $unsuscrib = GETPOST('unsuscrib'); $securitykey = GETPOST('securitykey'); @@ -80,7 +82,7 @@ if (!empty($tag) && ($unsuscrib == '1')) { dol_syslog("public/emailing/mailing-unsubscribe.php : Launch unsubscribe requests", LOG_DEBUG); - $sql = "SELECT mc.email, m.entity"; + $sql = "SELECT mc.rowid, mc.email, mc.statut, m.entity"; $sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc, ".MAIN_DB_PREFIX."mailing as m"; $sql .= " WHERE mc.fk_mailing = m.rowid AND mc.tag='".$db->escape($tag)."'"; @@ -89,11 +91,26 @@ if (!empty($tag) && ($unsuscrib == '1')) $obj = $db->fetch_object($resql); - if (empty($obj->email)) - { - print 'Email not found. No need to unsubscribe.'; + if (empty($obj)) { + print 'Email target not valid. Operation canceled.'; exit; } + if (empty($obj->email)) { + print 'Email target not valid. Operation canceled.'; + exit; + } + if ($obj->statut == 3) { + print 'Email target already set to unsubscribe. Operation canceled.'; + exit; + } + // TODO Test that mtid and email match also with the one found from $tag + /* + if ($obj->email != $email) + { + print 'Email does not match tagnot found. No need to unsubscribe.'; + exit; + } + */ // Update status of mail in recipient mailing list table $statut = '3';