From 0e0615941208f048bc042990844f29b7973b7cd9 Mon Sep 17 00:00:00 2001
From: "Jannis M. Hoffmann" <jannis@fehcom.de>
Date: Mon, 4 Dec 2023 23:28:52 +0100
Subject: security fix login_required improve config defaults

---
 src/jwebmail/__init__.py | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

(limited to 'src/jwebmail/__init__.py')

diff --git a/src/jwebmail/__init__.py b/src/jwebmail/__init__.py
index b5279fb..405f35e 100644
--- a/src/jwebmail/__init__.py
+++ b/src/jwebmail/__init__.py
@@ -1,6 +1,7 @@
 import os.path as os_path
 import pwd
 import sys
+from os import environ
 
 from flask import Flask, g
 from flask_babel import Babel, get_locale
@@ -21,7 +22,6 @@ from .webmail import (
     readmail,
     sendmail,
     writemail,
-    DEFAULT_LANGUAGE,
 )
 
 if sys.version_info >= (3, 11):
@@ -37,11 +37,18 @@ def validate_config(app):
 
     assert "@" in conf["JWEBMAIL"]["ADMIN_MAIL"]
 
-    assert pwd.getpwnam(conf["JWEBMAIL"]["READ_MAILS"]["MAILBOX_USER"])
     assert os_path.isdir(conf["JWEBMAIL"]["READ_MAILS"]["MAILBOX"])
-    assert os_path.isfile(conf["JWEBMAIL"]["READ_MAILS"]["AUTHENTICATOR"])
     assert os_path.isfile(conf["JWEBMAIL"]["READ_MAILS"]["BACKEND"])
 
+    assert pwd.getpwnam(
+        conf["JWEBMAIL"]["READ_MAILS"].setdefault("MAILBOX_USER", environ["USER"])
+    )
+    assert os_path.isfile(
+        conf["JWEBMAIL"]["READ_MAILS"].setdefault("AUTHENTICATOR", "qmail-authuser")
+    )
+
+    conf["JWEBMAIL"].setdefault("DEFAULT_LANGUAGE", "de")
+
 
 def create_app():
     app = Flask(__name__)
@@ -50,6 +57,8 @@ def create_app():
     app.config.from_file("../../jwebmail.toml", load=toml_load, text=False)
     validate_config(app)
 
+    DEFAULT_LANGUAGE = app.config["JWEBMAIL"]["DEFAULT_LANGUAGE"]
+
     Babel(app, locale_selector=lambda: g.get("lang_code", DEFAULT_LANGUAGE))
 
     app.cli.add_command(compile_css_command)
@@ -109,8 +118,8 @@ def route(app):
     )
 
     lr_rawmail = login_required(rawmail)
-    app.add_url_rule("/raw/<msgid>", endpoint="raw", view_func=rawmail)
-    app.add_url_rule("/raw/<folder>/<msgid>", endpoint="raw", view_func=rawmail)
+    app.add_url_rule("/raw/<msgid>", endpoint="raw", view_func=lr_rawmail)
+    app.add_url_rule("/raw/<folder>/<msgid>", endpoint="raw", view_func=lr_rawmail)
 
     lr_writemail = login_required(writemail)
     app.add_url_rule("/write", endpoint="write", view_func=lr_writemail)
-- 
cgit v1.2.3