Skip to content

Commit 3ec13c8

Browse files
committed
Improve the mail header injection feature
1 parent fada5c2 commit 3ec13c8

File tree

6 files changed

+5
-24
lines changed

6 files changed

+5
-24
lines changed

src/main/kotlin/org/t246osslab/easybuggy4kt/vulnerabilities/MailHeaderInjectionController.kt

-14
Original file line numberDiff line numberDiff line change
@@ -27,30 +27,16 @@ import javax.servlet.http.Part
2727
@Controller
2828
class MailHeaderInjectionController : AbstractController() {
2929

30-
@Value("\${spring.mail.username}")
31-
internal var username: String? = null
32-
33-
@Value("\${spring.mail.password}")
34-
internal var password: String? = null
35-
3630
// administrator's mail address
3731
@Value("\${mail.admin.address}")
3832
private var adminAddress: String? = null
3933

4034
@Autowired
4135
private val javaMailSender: JavaMailSender? = null
4236

43-
private val isReadyToSendEmail: Boolean
44-
get() = !(StringUtils.isBlank(username) || StringUtils.isBlank(password) || StringUtils.isBlank(adminAddress))
45-
4637
@RequestMapping(value = "/mailheaderijct", method = arrayOf(RequestMethod.GET))
4738
fun doGet(mav: ModelAndView, locale: Locale): ModelAndView {
4839
setViewAndCommonObjects(mav, locale, "mailheaderinjection")
49-
if (isReadyToSendEmail) {
50-
mav.addObject("isReady", "yes")
51-
} else {
52-
mav.addObject("note", msg?.getMessage("msg.smtp.server.not.setup", null, locale))
53-
}
5440
return mav
5541
}
5642

src/main/resources/application.properties

+5-5
Original file line numberDiff line numberDiff line change
@@ -11,12 +11,12 @@ spring.datasource.driver-class-name=org.apache.derby.jdbc.EmbeddedDriver
1111
spring.datasource.platform=
1212
spring.datasource.continue-on-error=true
1313

14-
spring.mail.host=smtp.gmail.com
15-
spring.mail.port=587
14+
spring.mail.host=localhost
15+
spring.mail.port=25
1616
spring.mail.username=
1717
spring.mail.password=
18-
spring.mail.properties.mail.smtp.auth=true
19-
spring.mail.properties.mail.smtp.starttls.enable=true
18+
spring.mail.properties.mail.smtp.auth=false
19+
spring.mail.properties.mail.smtp.starttls.enable=false
2020

2121
spring.ldap.embedded.base-dn=dc=t246osslab,dc=org
2222
spring.ldap.embedded.port=8389
@@ -46,4 +46,4 @@ account.lock.time=3600000
4646
account.lock.count=5
4747

4848
### Send Mail feature
49-
mail.admin.address=
49+
mail.admin.address=root@localhost

src/main/resources/messages.properties

-1
Original file line numberDiff line numberDiff line change
@@ -258,7 +258,6 @@ msg.reverse.color.complete = The color reversal of the image file has com
258258
msg.reverse.color.fail = The color reversal of the image file fails.
259259
msg.select.upload.file = Select a file to upload.
260260
msg.sent.mail = The mail was sent successfully.
261-
msg.smtp.server.not.setup = Mail properties are not correctly set in <code>application.properties</code>.
262261
msg.unknown.exception.occur = Unknown exception occurs : {0}
263262
msg.update.records = Updated {0} records.
264263
msg.update.users = You can update users information.

src/main/resources/messages_en.properties

-1
Original file line numberDiff line numberDiff line change
@@ -258,7 +258,6 @@ msg.reverse.color.complete = The color reversal of the image file has com
258258
msg.reverse.color.fail = The color reversal of the image file fails.
259259
msg.select.upload.file = Select a file to upload.
260260
msg.sent.mail = The mail was sent successfully.
261-
msg.smtp.server.not.setup = Mail properties are not correctly set in <code>application.properties</code>.
262261
msg.unknown.exception.occur = Unknown exception occurs : {0}
263262
msg.update.records = Updated {0} records.
264263
msg.update.users = You can update users information.

src/main/resources/messages_ja.properties

-1
Original file line numberDiff line numberDiff line change
@@ -258,7 +258,6 @@ msg.reverse.color.complete = \u753B\u50CF\u30D5\u30A1\u30A4\u30EB\u306E\u
258258
msg.reverse.color.fail = \u753B\u50CF\u30D5\u30A1\u30A4\u30EB\u306E\u8272\u53CD\u8EE2\u306B\u5931\u6557\u3057\u307E\u3057\u305F\u3002
259259
msg.select.upload.file = \u30A2\u30C3\u30D7\u30ED\u30FC\u30C9\u3059\u308B\u30D5\u30A1\u30A4\u30EB\u3092\u9078\u629E\u3057\u3066\u4E0B\u3055\u3044\u3002
260260
msg.sent.mail = \u30E1\u30FC\u30EB\u304C\u6B63\u5E38\u306B\u9001\u4FE1\u3055\u308C\u307E\u3057\u305F\u3002
261-
msg.smtp.server.not.setup = \u30E1\u30FC\u30EB\u30D7\u30ED\u30D1\u30C6\u30A3\u304C<code>application.properties</code>\u306B\u6B63\u3057\u304F\u8A2D\u5B9A\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002
262261
msg.unknown.exception.occur = \u4F55\u3089\u304B\u306E\u4F8B\u5916\u304C\u767A\u751F\u3057\u307E\u3057\u305F : {0}
263262
msg.update.records = {0}\u4EF6\u66F4\u65B0\u3057\u307E\u3057\u305F\u3002
264263
msg.update.users = \u30E6\u30FC\u30B6\u30FC\u60C5\u5831\u3092\u4E00\u62EC\u3067\u66F4\u65B0\u3057\u307E\u3059\u3002

src/main/resources/templates/mailheaderinjection.html

-2
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@
33
<div th:replace="head"></div>
44
<body style="margin-left: 20px; margin-right: 20px;">
55
<div th:replace="header"></div>
6-
<th:block th:if="${isReady != null}">
76
<form action="mailheaderijct" method="post"
87
enctype="multipart/form-data">
98
<p th:text="#{description.send.mail}" />
@@ -33,7 +32,6 @@
3332
</tr>
3433
</table>
3534
</form>
36-
</th:block>
3735
<div th:replace="messages"></div>
3836
</body>
3937
</html>

0 commit comments

Comments
 (0)