From 534e2b12825768a12f8e8f6c3b30a6334b640760 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 16 Dec 2016 13:46:39 +0100
Subject: [PATCH] FIX Security to restrict email sending was not efficient
---
build/debian/conf.php.install | 8 +++++++-
htdocs/admin/system/constall.php | 3 ++-
htdocs/admin/system/dolibarr.php | 3 ++-
htdocs/comm/mailing/card.php | 13 ++++++++-----
htdocs/conf/conf.php.example | 12 +++++++++---
htdocs/filefunc.inc.php | 1 +
htdocs/langs/en_US/mails.lang | 4 ++--
htdocs/master.inc.php | 13 +++++++++++++
scripts/emailings/mailing-send.php | 11 ++++++++++-
9 files changed, 54 insertions(+), 14 deletions(-)
diff --git a/build/debian/conf.php.install b/build/debian/conf.php.install
index c0ba3bdb120..72b18049a6c 100644
--- a/build/debian/conf.php.install
+++ b/build/debian/conf.php.install
@@ -222,7 +222,13 @@ $dolibarr_main_prod='0';
# $dolibarr_main_limit_users='0';
# dolibarr_mailing_limit_sendbyweb
-# Can set a limit for mailing send by web, can be used for a restricted mode.
+# Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
# Default value: 0 (use database value if exist)
# Examples:
# $dolibarr_mailing_limit_sendbyweb='0';
+
+# dolibarr_mailing_limit_sendbycli
+# Can set a limit for mailing send by cli. This overwrite database value. Can be used to restrict on OS level.
+# Default value: 0 (use database value if exist)
+# Examples:
+# $dolibarr_mailing_limit_sendbycli='0';
diff --git a/htdocs/admin/system/constall.php b/htdocs/admin/system/constall.php
index 1ff005e88b2..0fb3a6c9a7b 100644
--- a/htdocs/admin/system/constall.php
+++ b/htdocs/admin/system/constall.php
@@ -90,7 +90,8 @@ $configfileparameters=array(
'?dolibarr_font_DOL_DEFAULT_TTF_BOLD',
'separator',
'?dolibarr_mailing_limit_sendbyweb',
- '?dolibarr_strict_mode'
+ '?dolibarr_mailing_limit_sendbycli',
+ '?dolibarr_strict_mode'
);
$configfilelib=array(
// 'separator',
diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php
index eeea93a2fea..38ae5377710 100644
--- a/htdocs/admin/system/dolibarr.php
+++ b/htdocs/admin/system/dolibarr.php
@@ -284,7 +284,8 @@ $configfileparameters=array(
'separator4' => '',
'dolibarr_main_prod' => 'Production mode (Hide all error messages)',
'?dolibarr_mailing_limit_sendbyweb' => 'Limit nb of email sent by page',
- '?dolibarr_strict_mode' => 'Strict mode is on/off',
+ '?dolibarr_mailing_limit_sendbycli' => 'Limit nb of email sent by cli',
+ '?dolibarr_strict_mode' => 'Strict mode is on/off',
'?dolibarr_pdf_force_fpdf' => 'Force fpdf usage to generate PDF'
);
diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php
index 2cb2337d177..016caddbabf 100644
--- a/htdocs/comm/mailing/card.php
+++ b/htdocs/comm/mailing/card.php
@@ -761,6 +761,7 @@ else
$sendingmode=$conf->global->MAIN_MAIL_SENDMODE;
if (empty($sendingmode)) $sendingmode='mail'; // If not defined, we use php mail function
+ // Note: MAILING_LIMIT_SENDBYWEB is always defined to something != 0
if (! empty($conf->global->MAILING_NO_USING_PHPMAIL) && $sendingmode == 'mail')
{
// EMailing feature may be a spam problem, so when you host several users/instance, having this option may force each user to use their own SMTP agent.
@@ -772,19 +773,21 @@ else
if (! empty($conf->global->MAILING_SMTP_SETUP_EMAILS_FOR_QUESTIONS)) setEventMessages($langs->trans("MailSendSetupIs3", $conf->global->MAILING_SMTP_SETUP_EMAILS_FOR_QUESTIONS), null, 'warnings');
$_GET["action"]='';
}
- else if (empty($conf->global->MAILING_LIMIT_SENDBYWEB))
+ else if ($conf->global->MAILING_LIMIT_SENDBYWEB == '-1')
{
- // Pour des raisons de securite, on ne permet pas cette fonction via l'IHM,
- // on affiche donc juste un message
+ // No limit was defined, so the feature is forbidden from GUI, we show just a message.
setEventMessages($langs->trans("MailingNeedCommand"), null, 'warnings');
setEventMessages('<textarea cols="60" rows="'.ROWS_1.'" wrap="soft">php ./scripts/emailings/mailing-send.php '.$object->id.'</textarea>', null, 'warnings');
- setEventMessages($langs->trans("MailingNeedCommand2"), null, 'warnings');
+ if ($conf->file->mailing_limit_sendbyweb != '-1')
+ {
+ setEventMessages($langs->trans("MailingNeedCommand2"), null, 'warnings'); // You can send online with constant...
+ }
$_GET["action"]='';
}
else
{
$text='';
- if ($conf->file->mailing_limit_sendbyweb == 0)
+ if ($conf->global->MAILING_LIMIT_SENDBYCLI >= 0)
{
$text.=$langs->trans("MailingNeedCommand");
$text.='<br><textarea cols="60" rows="'.ROWS_2.'" wrap="soft">php ./scripts/emailings/mailing-send.php '.$object->id.' '.$user->login.'</textarea>';
diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example
index 3d6db94d801..11d0fc8ef23 100644
--- a/htdocs/conf/conf.php.example
+++ b/htdocs/conf/conf.php.example
@@ -262,9 +262,15 @@ $dolibarr_main_db_prefix='';
// $dolibarr_main_limit_users='0';
// dolibarr_mailing_limit_sendbyweb
-// Can set a limit for mailing send by web. Can be used for a restricted mode.
-// Default value: 0 (use database value if exist)
-// Examples:
+// Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
+// Default value: '0' (no overwrite, use database value if exists)
+// Examples: '-1' (sending by web is forbidden)
+// $dolibarr_mailing_limit_sendbyweb='0';
+
+// dolibarr_mailing_limit_sendbycli
+// Can set a limit for mailing send by cli. This overwrite database value. Can be used to restrict on OS level.
+// Default value: '0' (no overwrite, use database value if exists)
+// Examples: '-1' (sending by cli is forbidden)
// $dolibarr_mailing_limit_sendbyweb='0';
// dolibarr_strict_mode
diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index 14dd1f0e318..7de3a9f9377 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -122,6 +122,7 @@ if (empty($dolibarr_main_db_encryption)) $dolibarr_main_db_encryption=0;
if (empty($dolibarr_main_db_cryptkey)) $dolibarr_main_db_cryptkey='';
if (empty($dolibarr_main_limit_users)) $dolibarr_main_limit_users=0;
if (empty($dolibarr_mailing_limit_sendbyweb)) $dolibarr_mailing_limit_sendbyweb=0;
+if (empty($dolibarr_mailing_limit_sendbycli)) $dolibarr_mailing_limit_sendbycli=0;
if (empty($dolibarr_strict_mode)) $dolibarr_strict_mode=0; // For debug in php strict mode
// TODO Multicompany Remove this. Useless.
if (empty($multicompany_transverse_mode)) $multicompany_transverse_mode=0;
diff --git a/htdocs/langs/en_US/mails.lang b/htdocs/langs/en_US/mails.lang
index 94a74604901..e748b634785 100644
--- a/htdocs/langs/en_US/mails.lang
+++ b/htdocs/langs/en_US/mails.lang
@@ -116,9 +116,9 @@ SearchAMailing=Search mailing
SendMailing=Send emailing
SendMail=Send email
SentBy=Sent by
-MailingNeedCommand=For security reason, sending an emailing is better when performed from command line. If you have one, ask your server administrator to launch the following command to send the emailing to all recipients:
+MailingNeedCommand=For security reason, sending an emailing must be performed from command line. Ask your server administrator to launch the following command to send the emailing to all recipients:
MailingNeedCommand2=You can however send them online by adding parameter MAILING_LIMIT_SENDBYWEB with value of max number of emails you want to send by session. For this, go on Home - Setup - Other.
-ConfirmSendingEmailing=If you can't or prefer sending them with your www browser, please confirm you are sure you want to send emailing now from your browser ?
+ConfirmSendingEmailing=If you want to send emailing directly from this screen, please confirm you are sure you want to send emailing now from your browser ?
LimitSendingEmailing=Note: Sending of emailings from web interface is done in several times for security and timeout reasons, <b>%s</b> recipients at a time for each sending session.
TargetsReset=Clear list
ToClearAllRecipientsClickHere=Click here to clear the recipient list for this emailing
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 7c0000bedea..80fc5d9a1d4 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -61,6 +61,7 @@ if (defined('TEST_DB_FORCE_TYPE')) $conf->db->type=constant('TEST_DB_FORCE_TYPE'
// Set properties specific to conf file
$conf->file->main_limit_users = $dolibarr_main_limit_users;
$conf->file->mailing_limit_sendbyweb = $dolibarr_mailing_limit_sendbyweb;
+$conf->file->mailing_limit_sendbycli = $dolibarr_mailing_limit_sendbycli;
$conf->file->main_authentication = empty($dolibarr_main_authentication)?'':$dolibarr_main_authentication; // Identification mode
$conf->file->main_force_https = empty($dolibarr_main_force_https)?'':$dolibarr_main_force_https; // Force https
$conf->file->strict_mode = empty($dolibarr_strict_mode)?'':$dolibarr_strict_mode; // Force php strict mode (for debug)
@@ -188,6 +189,18 @@ if (! empty($conf->file->mailing_limit_sendbyweb))
{
$conf->global->MAILING_LIMIT_SENDBYWEB = $conf->file->mailing_limit_sendbyweb;
}
+if (empty($conf->global->MAILING_LIMIT_SENDBYWEB))
+{
+ $conf->global->MAILING_LIMIT_SENDBYWEB = 25;
+}
+if (! empty($conf->file->mailing_limit_sendbycli))
+{
+ $conf->global->MAILING_LIMIT_SENDBYCLI = $conf->file->mailing_limit_sendbycli;
+}
+if (empty($conf->global->MAILING_LIMIT_SENDBYCLI))
+{
+ $conf->global->MAILING_LIMIT_SENDBYCLI = 0;
+}
// If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed.
if (! empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED))
diff --git a/scripts/emailings/mailing-send.php b/scripts/emailings/mailing-send.php
index 98455b2a233..fb8612977a8 100755
--- a/scripts/emailings/mailing-send.php
+++ b/scripts/emailings/mailing-send.php
@@ -61,6 +61,11 @@ $error=0;
@set_time_limit(0);
print "***** ".$script_file." (".$version.") pid=".dol_getmypid()." *****\n";
+if ($conf->global->MAILING_LIMIT_SENDBYCLI == '-1')
+{
+
+}
+
$user = new User($db);
// for signature, we use user send as parameter
if (! empty($login)) $user->fetch('',$login);
@@ -108,7 +113,11 @@ if ($resql)
$sql2 = "SELECT mc.rowid, mc.lastname as lastname, mc.firstname as firstname, mc.email, mc.other, mc.source_url, mc.source_id, mc.source_type, mc.tag";
$sql2.= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc";
$sql2.= " WHERE mc.statut < 1 AND mc.fk_mailing = ".$id;
-
+ if ($conf->global->MAILING_LIMIT_SENDBYCLI > 0)
+ {
+ $sql2.= " LIMIT ".$conf->global->MAILING_LIMIT_SENDBYCLI;
+ }
+
$resql2=$db->query($sql2);
if ($resql2)
{
--
GitLab