🔒 Detect schemeless URL in mail (#254)

CHANGELOG

@@ -6,6 +6,7 @@ Revision history for Lufi
 	- 🌐 Update translations
 	- 🔒 Fix XSS where using zip feature (#254)
 	- 🔒 Fix unauthorized manipulations of invitations (#254)
+	- 🔒 Detect schemeless URL in mail (#254)
 
 0.05.14 2021-06-16
 	- 🔧 Set default morbo port to 3000 (as it should have stay)

lib/Lufi/Controller/Mail.pm

@@ -5,6 +5,7 @@ use Mojo::JSON qw(decode_json);
 use Mojo::URL;
 use Email::Valid;
 use URI::Find;
+use URI::Find::Schemeless;
 
 sub render_mail {
     my $c = shift;
@@ -39,7 +40,7 @@ sub send_mail {
         my ($uri, $orig_uri) = @_;
         $uri = Mojo::URL->new($uri);
         if ($uri->host ne $base_url->to_abs->host && $uri->host ne $fixed_url->to_abs->host) {
-            $msg .= $c->l('You can\'t add URLs that are not related to this instance.').'<br>';
+            $msg .= $c->l('You can\'t add URLs that are not related to this instance (%1).', $orig_uri).'<br>';
         } elsif (index($orig_uri, $fixed_url->to_abs->to_string) > -1) {
             $at_least_one_instance_url = 1;
         }
@@ -48,7 +49,20 @@ sub send_mail {
     $finder->find(\$body);
     $finder->find(\$subject);
 
-    $c->debug($at_least_one_instance_url);
+    # Schemeless URI beginning with www, which are interpreted by mailers 🤦
+    $finder = URI::Find::Schemeless->new(sub {
+        my ($uri, $orig_uri) = @_;
+        return $orig_uri if ($uri !~ m/www/);
+
+        $uri = Mojo::URL->new($uri);
+        if ($uri->host ne $base_url->to_abs->host && $uri->host ne $fixed_url->to_abs->host) {
+            $msg .= $c->l('You can\'t add URLs that are not related to this instance (%1).', $orig_uri).'<br>';
+        }
+        return $orig_uri;
+    });
+    $finder->find(\$body);
+    $finder->find(\$subject);
+
     unless ($at_least_one_instance_url) {
         $msg .= $c->l('The body of the mail must contain at least one URL pointing to a file hosted on this instance.').'<br>';
     }

themes/default/lib/Lufi/I18N/en.po

@@ -98,7 +98,7 @@ msgstr "Asking for file part XX1 of %1"
 msgid "Back to homepage"
 msgstr "Back to homepage"
 
-#: lib/Lufi/Controller/Mail.pm:25
+#: lib/Lufi/Controller/Mail.pm:26
 msgid "Bad CSRF token!"
 msgstr "Bad CSRF token!"
 
@@ -564,7 +564,7 @@ msgstr "The URLs of your files have been sent by email to %1."
 msgid "The administrator can only see the file's name, its size and its mimetype (what kind of file it is: video, text, etc.)."
 msgstr "The administrator can only see the file's name, its size and its mimetype (what kind of file it is: video, text, etc.)."
 
-#: lib/Lufi/Controller/Mail.pm:53
+#: lib/Lufi/Controller/Mail.pm:67
 msgid "The body of the mail must contain at least one URL pointing to a file hosted on this instance."
 msgstr "The body of the mail must contain at least one URL pointing to a file hosted on this instance."
 
@@ -572,11 +572,11 @@ msgstr "The body of the mail must contain at least one URL pointing to a file ho
 msgid "The data has been successfully imported."
 msgstr "The data has been successfully imported."
 
-#: lib/Lufi/Controller/Mail.pm:73
+#: lib/Lufi/Controller/Mail.pm:87
 msgid "The email body can't be empty."
 msgstr "The email body can't be empty."
 
-#: lib/Lufi/Controller/Mail.pm:72
+#: lib/Lufi/Controller/Mail.pm:86
 msgid "The email subject can't be empty."
 msgstr "The email subject can't be empty."
 
@@ -594,7 +594,7 @@ msgid "The files uploaded on a Lufi instance are encrypted before the upload to
 msgstr "The files uploaded on a Lufi instance are encrypted before the upload to the server: the administrator of the server can not see the file's content."
 
 #. (join(', ', @bad)
-#: lib/Lufi/Controller/Mail.pm:68
+#: lib/Lufi/Controller/Mail.pm:82
 msgid "The following email addresses are not valid: %1"
 msgstr "The following email addresses are not valid: %1"
 
@@ -642,7 +642,7 @@ msgstr "The link(s) of your file(s) will automatically be sent by mail to %1 (%2
 msgid "The links of your file(s) will automatically be sent by mail to %1."
 msgstr "The link(s) of your file(s) will automatically be sent by mail to %1."
 
-#: lib/Lufi/Controller/Mail.pm:97
+#: lib/Lufi/Controller/Mail.pm:111
 msgid "The mail has been sent."
 msgstr "The mail has been sent."
 
@@ -746,7 +746,12 @@ msgstr "You can invite someone to send you files through this Lufi instance even
 msgid "You can see the list of your files by clicking on the \"My files\" link at the top right of this page."
 msgstr "You can see the list of your files by clicking on the \"My files\" link at the top right of this page."
 
-#: lib/Lufi/Controller/Mail.pm:42
+#. ($orig_uri)
+#: lib/Lufi/Controller/Mail.pm:43 lib/Lufi/Controller/Mail.pm:59
+msgid "You can't add URLs that are not related to this instance (%1)."
+msgstr "You can't add URLs that are not related to this instance (%1)."
+
+#:
 msgid "You can't add URLs that are not related to this instance."
 msgstr "You can't add URLs that are not related to this instance."
 
@@ -770,7 +775,7 @@ msgstr "You have attempted to leave this page. The upload will be canceled. Are
 msgid "You have been successfully logged out."
 msgstr "You have been successfully logged out."
 
-#: lib/Lufi/Controller/Mail.pm:71
+#: lib/Lufi/Controller/Mail.pm:85
 msgid "You must give email addresses."
 msgstr "You must give email addresses."
 

themes/default/lib/Lufi/I18N/lufi.pot

@@ -98,7 +98,7 @@ msgstr ""
 msgid "Back to homepage"
 msgstr ""
 
-#: lib/Lufi/Controller/Mail.pm:25
+#: lib/Lufi/Controller/Mail.pm:26
 msgid "Bad CSRF token!"
 msgstr ""
 
@@ -564,7 +564,7 @@ msgstr ""
 msgid "The administrator can only see the file's name, its size and its mimetype (what kind of file it is: video, text, etc.)."
 msgstr ""
 
-#: lib/Lufi/Controller/Mail.pm:53
+#: lib/Lufi/Controller/Mail.pm:67
 msgid "The body of the mail must contain at least one URL pointing to a file hosted on this instance."
 msgstr ""
 
@@ -572,11 +572,11 @@ msgstr ""
 msgid "The data has been successfully imported."
 msgstr ""
 
-#: lib/Lufi/Controller/Mail.pm:73
+#: lib/Lufi/Controller/Mail.pm:87
 msgid "The email body can't be empty."
 msgstr ""
 
-#: lib/Lufi/Controller/Mail.pm:72
+#: lib/Lufi/Controller/Mail.pm:86
 msgid "The email subject can't be empty."
 msgstr ""
 
@@ -594,7 +594,7 @@ msgid "The files uploaded on a Lufi instance are encrypted before the upload to
 msgstr ""
 
 #. (join(', ', @bad)
-#: lib/Lufi/Controller/Mail.pm:68
+#: lib/Lufi/Controller/Mail.pm:82
 msgid "The following email addresses are not valid: %1"
 msgstr ""
 
@@ -642,7 +642,7 @@ msgstr ""
 msgid "The links of your file(s) will automatically be sent by mail to %1."
 msgstr ""
 
-#: lib/Lufi/Controller/Mail.pm:97
+#: lib/Lufi/Controller/Mail.pm:111
 msgid "The mail has been sent."
 msgstr ""
 
@@ -746,8 +746,9 @@ msgstr ""
 msgid "You can see the list of your files by clicking on the \"My files\" link at the top right of this page."
 msgstr ""
 
-#: lib/Lufi/Controller/Mail.pm:42
-msgid "You can't add URLs that are not related to this instance."
+#. ($orig_uri)
+#: lib/Lufi/Controller/Mail.pm:43 lib/Lufi/Controller/Mail.pm:59
+msgid "You can't add URLs that are not related to this instance (%1)."
 msgstr ""
 
 #: themes/default/templates/about.html.ep:8
@@ -770,7 +771,7 @@ msgstr ""
 msgid "You have been successfully logged out."
 msgstr ""
 
-#: lib/Lufi/Controller/Mail.pm:71
+#: lib/Lufi/Controller/Mail.pm:85
 msgid "You must give email addresses."
 msgstr ""