Improve the mail header injection feature

k-tamura · k-tamura · commit 3ec13c8b23cc · 2018-05-22T17:33:55.000+09:00
diff --git a/src/main/kotlin/org/t246osslab/easybuggy4kt/vulnerabilities/MailHeaderInjectionController.kt b/src/main/kotlin/org/t246osslab/easybuggy4kt/vulnerabilities/MailHeaderInjectionController.kt
@@ -27,30 +27,16 @@ import javax.servlet.http.Part
 @Controller
 class MailHeaderInjectionController : AbstractController() {
 
-    @Value("\${spring.mail.username}")
-    internal var username: String? = null
-
-    @Value("\${spring.mail.password}")
-    internal var password: String? = null
-
     // administrator's mail address
     @Value("\${mail.admin.address}")
     private var adminAddress: String? = null
 
     @Autowired
     private val javaMailSender: JavaMailSender? = null
 
-    private val isReadyToSendEmail: Boolean
-        get() = !(StringUtils.isBlank(username) || StringUtils.isBlank(password) || StringUtils.isBlank(adminAddress))
-
     @RequestMapping(value = "/mailheaderijct", method = arrayOf(RequestMethod.GET))
     fun doGet(mav: ModelAndView, locale: Locale): ModelAndView {
         setViewAndCommonObjects(mav, locale, "mailheaderinjection")
-        if (isReadyToSendEmail) {
-            mav.addObject("isReady", "yes")
-        } else {
-            mav.addObject("note", msg?.getMessage("msg.smtp.server.not.setup", null, locale))
-        }
         return mav
     }
 
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -11,12 +11,12 @@ spring.datasource.driver-class-name=org.apache.derby.jdbc.EmbeddedDriver
 spring.datasource.platform=
 spring.datasource.continue-on-error=true
 
-spring.mail.host=smtp.gmail.com
-spring.mail.port=587
+spring.mail.host=localhost
+spring.mail.port=25
 spring.mail.username=
 spring.mail.password=
-spring.mail.properties.mail.smtp.auth=true
-spring.mail.properties.mail.smtp.starttls.enable=true
+spring.mail.properties.mail.smtp.auth=false
+spring.mail.properties.mail.smtp.starttls.enable=false
 
 spring.ldap.embedded.base-dn=dc=t246osslab,dc=org
 spring.ldap.embedded.port=8389
@@ -46,4 +46,4 @@ account.lock.time=3600000
 account.lock.count=5
 
 ### Send Mail feature
-mail.admin.address=
+mail.admin.address=root@localhost
diff --git a/src/main/resources/messages.properties b/src/main/resources/messages.properties
@@ -258,7 +258,6 @@ msg.reverse.color.complete        = The color reversal of the image file has com
 msg.reverse.color.fail            = The color reversal of the image file fails.
 msg.select.upload.file            = Select a file to upload.
 msg.sent.mail                     = The mail was sent successfully.
-msg.smtp.server.not.setup         = Mail properties are not correctly set in <code>application.properties</code>.
 msg.unknown.exception.occur       = Unknown exception occurs : {0}
 msg.update.records                = Updated {0} records.
 msg.update.users                  = You can update users information.
diff --git a/src/main/resources/messages_en.properties b/src/main/resources/messages_en.properties
@@ -258,7 +258,6 @@ msg.reverse.color.complete        = The color reversal of the image file has com
 msg.reverse.color.fail            = The color reversal of the image file fails.
 msg.select.upload.file            = Select a file to upload.
 msg.sent.mail                     = The mail was sent successfully.
-msg.smtp.server.not.setup         = Mail properties are not correctly set in <code>application.properties</code>.
 msg.unknown.exception.occur       = Unknown exception occurs : {0}
 msg.update.records                = Updated {0} records.
 msg.update.users                  = You can update users information.
diff --git a/src/main/resources/messages_ja.properties b/src/main/resources/messages_ja.properties
@@ -258,7 +258,6 @@ msg.reverse.color.complete        = \u753B\u50CF\u30D5\u30A1\u30A4\u30EB\u306E\u
 msg.reverse.color.fail            = \u753B\u50CF\u30D5\u30A1\u30A4\u30EB\u306E\u8272\u53CD\u8EE2\u306B\u5931\u6557\u3057\u307E\u3057\u305F\u3002
 msg.select.upload.file            = \u30A2\u30C3\u30D7\u30ED\u30FC\u30C9\u3059\u308B\u30D5\u30A1\u30A4\u30EB\u3092\u9078\u629E\u3057\u3066\u4E0B\u3055\u3044\u3002
 msg.sent.mail                     = \u30E1\u30FC\u30EB\u304C\u6B63\u5E38\u306B\u9001\u4FE1\u3055\u308C\u307E\u3057\u305F\u3002
-msg.smtp.server.not.setup         = \u30E1\u30FC\u30EB\u30D7\u30ED\u30D1\u30C6\u30A3\u304C<code>application.properties</code>\u306B\u6B63\u3057\u304F\u8A2D\u5B9A\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002
 msg.unknown.exception.occur       = \u4F55\u3089\u304B\u306E\u4F8B\u5916\u304C\u767A\u751F\u3057\u307E\u3057\u305F : {0}
 msg.update.records                = {0}\u4EF6\u66F4\u65B0\u3057\u307E\u3057\u305F\u3002
 msg.update.users                  = \u30E6\u30FC\u30B6\u30FC\u60C5\u5831\u3092\u4E00\u62EC\u3067\u66F4\u65B0\u3057\u307E\u3059\u3002
diff --git a/src/main/resources/templates/mailheaderinjection.html b/src/main/resources/templates/mailheaderinjection.html
@@ -3,7 +3,6 @@
 <div th:replace="head"></div>
 <body style="margin-left: 20px; margin-right: 20px;">
 	<div th:replace="header"></div>
-	<th:block th:if="${isReady != null}">
 		<form action="mailheaderijct" method="post"
 			enctype="multipart/form-data">
 			<p th:text="#{description.send.mail}" />
@@ -33,7 +32,6 @@
 				</tr>
 			</table>
 		</form>
-	</th:block>
     <div th:replace="messages"></div>
 </body>
 </html>
