lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix DOS attack on emailings wrappers

Browse Source
This commit is contained in:
Laurent Destailleur 2021-03-05 14:54:17 +01:00
parent dcff298c5f
commit 1cd822bd75
3 changed files with 67 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/core/modules/mailings/modules_mailings.php
View File

@ -158,6 +158,7 @@ class MailingTargets // This can't be abstract as it is used for some method
public function addTargetsToDatabase($mailing_id, $cibles) public function addTargetsToDatabase($mailing_id, $cibles)
{ {
global $conf; global $conf;
global $dolibarr_main_instance_unique_id;
$this->db->begin(); $this->db->begin();
@ -182,7 +183,7 @@ class MailingTargets // This can't be abstract as it is used for some method
$sql .= "'".$this->db->escape($targetarray['other'])."',"; $sql .= "'".$this->db->escape($targetarray['other'])."',";
$sql .= "'".$this->db->escape($targetarray['source_url'])."',"; $sql .= "'".$this->db->escape($targetarray['source_url'])."',";
$sql .= (empty($targetarray['source_id']) ? 'null' : "'".$this->db->escape($targetarray['source_id'])."'").","; $sql .= (empty($targetarray['source_id']) ? 'null' : "'".$this->db->escape($targetarray['source_id'])."'").",";
$sql .= "'".$this->db->escape(dol_hash($targetarray['email'].';'.$targetarray['lastname'].';'.$mailing_id.';'.$conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY))."',"; $sql .= "'".$this->db->escape(dol_hash($dolibarr_main_instance_unique_id.';'.$targetarray['email'].';'.$targetarray['lastname'].';'.$mailing_id.';'.$conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY), 'md5')."',";
$sql .= "'".$this->db->escape($targetarray['source_type'])."')"; $sql .= "'".$this->db->escape($targetarray['source_type'])."')";
dol_syslog(__METHOD__, LOG_DEBUG); dol_syslog(__METHOD__, LOG_DEBUG);
$result = $this->db->query($sql); $result = $this->db->query($sql);

55
htdocs/public/emailing/mailing-read.php
View File

@ -53,6 +53,8 @@ function llxFooter()
require '../../main.inc.php'; require '../../main.inc.php';
$mtid = GETPOST('mtid');
$email = GETPOST('email');
$tag = GETPOST('tag'); $tag = GETPOST('tag');
$securitykey = GETPOST('securitykey'); $securitykey = GETPOST('securitykey');
@ -71,23 +73,54 @@ if ($securitykey != $conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY)
if (!empty($tag)) if (!empty($tag))
{ {
$statut = '2'; dol_syslog("public/emailing/mailing-read.php : Update status of email target and thirdparty for tag ".$tag, LOG_DEBUG);
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles SET statut=".$statut." WHERE tag='".$db->escape($tag)."'";
dol_syslog("public/emailing/mailing-read.php : Mail read : ".$sql, LOG_DEBUG);
$sql = "SELECT mc.rowid, mc.email, mc.statut, mc.source_type, mc.source_id, m.entity";
$sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc, ".MAIN_DB_PREFIX."mailing as m";
$sql .= " WHERE mc.fk_mailing = m.rowid AND mc.tag='".$db->escape($tag)."'";
$resql = $db->query($sql);
if (!$resql) dol_print_error($db);
$obj = $db->fetch_object($resql);
if (empty($obj)) {
print 'Email target not valid. Operation canceled.';
exit;
}
if (empty($obj->email)) {
print 'Email target not valid. Operation canceled.';
exit;
}
if ($obj->statut == 2) {
print 'Email target already set to read. Operation canceled.';
exit;
}
// TODO Test that mtid and email match also with the one found from $tag
/*
if ($obj->email != $email)
{
print 'Email does not match tagnot found. No need to unsubscribe.';
exit;
}
*/
//Update status of target
$statut = '2';
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles SET statut=".$statut." WHERE id = ".$obj->rowid;
$resql = $db->query($sql); $resql = $db->query($sql);
//Update status communication of thirdparty prospect //Update status communication of thirdparty prospect
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=3 WHERE fk_stcomm != -1 AND rowid IN (SELECT source_id FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE tag='".$db->escape($tag)."' AND source_type='thirdparty' AND source_id is not null)"; if ($obj->source_id > 0 && $obj->source_type == 'thirdparty' && $obj->entity) {
dol_syslog("public/emailing/mailing-read.php : Mail read thirdparty : ".$sql, LOG_DEBUG); $sql = "UPDATE ".MAIN_DB_PREFIX.'societe SET fk_stcomm = 3 WHERE fk_stcomm <> -1 AND entity = '.$obj->entity.' AND rowid = '.$obj->source_id;
$resql = $db->query($sql);
$resql = $db->query($sql); }
//Update status communication of contact prospect //Update status communication of contact prospect
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=3 WHERE fk_stcomm != -1 AND rowid IN (SELECT sc.fk_soc FROM ".MAIN_DB_PREFIX."socpeople AS sc INNER JOIN ".MAIN_DB_PREFIX."mailing_cibles AS mc ON mc.tag = '".$db->escape($tag)."' AND mc.source_type = 'contact' AND mc.source_id = sc.rowid)"; if ($obj->source_id > 0 && $obj->source_type == 'contact' && $obj->entity) {
dol_syslog("public/emailing/mailing-read.php : Mail read contact : ".$sql, LOG_DEBUG); $sql = "UPDATE ".MAIN_DB_PREFIX.'societe SET fk_stcomm = 3 WHERE fk_stcomm <> -1 AND entity = '.$obj->entity.' AND rowid IN (SELECT sc.fk_soc FROM '.MAIN_DB_PREFIX.'socpeople AS sc WHERE sc.rowid = '.$obj->source_id.')';
$resql = $db->query($sql);
$resql = $db->query($sql); }
} }
$db->close(); $db->close();

25
htdocs/public/emailing/mailing-unsubscribe.php
View File

@ -58,6 +58,8 @@ global $user, $conf, $langs;
$langs->loadLangs(array("main", "mails")); $langs->loadLangs(array("main", "mails"));
$mtid = GETPOST('mtid');
$email = GETPOST('email');
$tag = GETPOST('tag'); $tag = GETPOST('tag');
$unsuscrib = GETPOST('unsuscrib'); $unsuscrib = GETPOST('unsuscrib');
$securitykey = GETPOST('securitykey'); $securitykey = GETPOST('securitykey');
@ -80,7 +82,7 @@ if (!empty($tag) && ($unsuscrib == '1'))
{ {
dol_syslog("public/emailing/mailing-unsubscribe.php : Launch unsubscribe requests", LOG_DEBUG); dol_syslog("public/emailing/mailing-unsubscribe.php : Launch unsubscribe requests", LOG_DEBUG);
$sql = "SELECT mc.email, m.entity"; $sql = "SELECT mc.rowid, mc.email, mc.statut, m.entity";
$sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc, ".MAIN_DB_PREFIX."mailing as m"; $sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc, ".MAIN_DB_PREFIX."mailing as m";
$sql .= " WHERE mc.fk_mailing = m.rowid AND mc.tag='".$db->escape($tag)."'"; $sql .= " WHERE mc.fk_mailing = m.rowid AND mc.tag='".$db->escape($tag)."'";
@ -89,11 +91,26 @@ if (!empty($tag) && ($unsuscrib == '1'))
$obj = $db->fetch_object($resql); $obj = $db->fetch_object($resql);
if (empty($obj->email)) if (empty($obj)) {
{ print 'Email target not valid. Operation canceled.';
print 'Email not found. No need to unsubscribe.';
exit; exit;
} }
if (empty($obj->email)) {
print 'Email target not valid. Operation canceled.';
exit;
}
if ($obj->statut == 3) {
print 'Email target already set to unsubscribe. Operation canceled.';
exit;
}
// TODO Test that mtid and email match also with the one found from $tag
/*
if ($obj->email != $email)
{
print 'Email does not match tagnot found. No need to unsubscribe.';
exit;
}
*/
// Update status of mail in recipient mailing list table // Update status of mail in recipient mailing list table
$statut = '3'; $statut = '3';