From 37eec298d7c990b34dfe630f905c0f2d6144b275 Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Sat, 6 Aug 2022 23:11:55 +1200
Subject: [PATCH 1/8] 0.1.1

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9366cd9..5312bb7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,12 @@
 Notable changes to Mailpit will be documented in this file.
 
 
+## 0.1.1
+
+### Bugfix
+- Fix env variable for MP_UI_SSL_KEY
+
+
 ## 0.1.0
 
 ### Feature

From 056bef7d5eb75d51b812f50b02df22fab39a8df8 Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Sat, 6 Aug 2022 23:35:58 +1200
Subject: [PATCH 2/8] Security: Use strconv.Atoi() for safe string to int
 conversions

---
 server/server.go | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/server/server.go b/server/server.go
index 069ce67..65c111e 100644
--- a/server/server.go
+++ b/server/server.go
@@ -156,16 +156,13 @@ func getStartLimit(req *http.Request) (start int, limit int) {
 	limit = 50
 
 	s := req.URL.Query().Get("start")
-	if n, e := strconv.ParseInt(s, 10, 64); e == nil && n > 0 {
-		start = int(n)
+	if n, err := strconv.Atoi(s); err == nil && n > 0 {
+		start = n
 	}
 
 	l := req.URL.Query().Get("limit")
-	if n, e := strconv.ParseInt(l, 10, 64); e == nil && n > 0 {
-		if n > 500 {
-			n = 500
-		}
-		limit = int(n)
+	if n, err := strconv.Atoi(l); err == nil && n > 0 {
+		limit = n
 	}
 
 	return start, limit

From 11554437854646c5ee26d3056c2b9e2d3f89de33 Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Sat, 6 Aug 2022 23:53:15 +1200
Subject: [PATCH 3/8] Security: Sanitize mailbox names

---
 storage/database.go | 41 ++++++++++++++++++++++++++++++++---------
 storage/stats.go    |  2 ++
 storage/utils.go    |  8 ++++++++
 3 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/storage/database.go b/storage/database.go
index f638410..4b83004 100644
--- a/storage/database.go
+++ b/storage/database.go
@@ -140,40 +140,44 @@ func MailboxExists(name string) bool {
 }
 
 // CreateMailbox will create a collection if it does not exist
-func CreateMailbox(name string) error {
-	if !MailboxExists(name) {
-		logger.Log().Infof("[db] creating mailbox: %s", name)
+func CreateMailbox(mailbox string) error {
+	mailbox = sanitizeMailboxName(mailbox)
 
-		if err := db.CreateCollection(name); err != nil {
+	if !MailboxExists(mailbox) {
+		logger.Log().Infof("[db] creating mailbox: %s", mailbox)
+
+		if err := db.CreateCollection(mailbox); err != nil {
 			return err
 		}
 
 		// create Created index
-		if err := db.CreateIndex(name, "Created"); err != nil {
+		if err := db.CreateIndex(mailbox, "Created"); err != nil {
 			return err
 		}
 
 		// create Read index
-		if err := db.CreateIndex(name, "Read"); err != nil {
+		if err := db.CreateIndex(mailbox, "Read"); err != nil {
 			return err
 		}
 
 		// create separate collection for data
-		if err := db.CreateCollection(name + "_data"); err != nil {
+		if err := db.CreateCollection(mailbox + "_data"); err != nil {
 			return err
 		}
 
 		// create Created index
-		if err := db.CreateIndex(name+"_data", "Created"); err != nil {
+		if err := db.CreateIndex(mailbox+"_data", "Created"); err != nil {
 			return err
 		}
 	}
 
-	return statsRefresh(name)
+	return statsRefresh(mailbox)
 }
 
 // Store will store a message in the database and return the unique ID
 func Store(mailbox string, b []byte) (string, error) {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	r := bytes.NewReader(b)
 	// Parse message body with enmime.
 	env, err := enmime.ReadEnvelope(r)
@@ -254,6 +258,8 @@ func Store(mailbox string, b []byte) (string, error) {
 // as clover's `Skip()` returns a subset of all results which is much slower.
 // @see https://github.com/ostafen/clover/issues/73
 func List(mailbox string, start, limit int) ([]data.Summary, error) {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	var lastDoc *clover.Document
 	count := 0
 	startAddingAt := start + 1
@@ -314,6 +320,8 @@ func List(mailbox string, start, limit int) ([]data.Summary, error) {
 
 // Search returns a summary of items mathing a search. It searched the SearchText field.
 func Search(mailbox, search string, start, limit int) ([]data.Summary, error) {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	sq := fmt.Sprintf("(?i)%s", cleanString(regexp.QuoteMeta(search)))
 	q, err := db.FindAll(clover.NewQuery(mailbox).
 		Skip(start).
@@ -340,11 +348,15 @@ func Search(mailbox, search string, start, limit int) ([]data.Summary, error) {
 
 // Count returns the total number of messages in a mailbox
 func Count(mailbox string) (int, error) {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	return db.Count(clover.NewQuery(mailbox))
 }
 
 // CountUnread returns the unread number of messages in a mailbox
 func CountUnread(mailbox string) (int, error) {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	return db.Count(
 		clover.NewQuery(mailbox).
 			Where(clover.Field("Read").IsFalse()),
@@ -355,6 +367,8 @@ func CountUnread(mailbox string) (int, error) {
 // ID must be supplied as this is not stored within the CloverStore but rather the
 // *clover.Document
 func GetMessage(mailbox, id string) (*data.Message, error) {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	q, err := db.FindById(mailbox+"_data", id)
 	if err != nil {
 		return nil, err
@@ -440,6 +454,8 @@ func GetMessage(mailbox, id string) (*data.Message, error) {
 
 // GetAttachmentPart returns an *enmime.Part (attachment or inline) from a message
 func GetAttachmentPart(mailbox, id, partID string) (*enmime.Part, error) {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	data, err := GetMessageRaw(mailbox, id)
 	if err != nil {
 		return nil, err
@@ -475,6 +491,8 @@ func GetAttachmentPart(mailbox, id, partID string) (*enmime.Part, error) {
 
 // GetMessageRaw returns an []byte of the full message
 func GetMessageRaw(mailbox, id string) ([]byte, error) {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	q, err := db.FindById(mailbox+"_data", id)
 	if err != nil {
 		return nil, err
@@ -491,6 +509,8 @@ func GetMessageRaw(mailbox, id string) ([]byte, error) {
 
 // UnreadMessage will delete all messages from a mailbox
 func UnreadMessage(mailbox, id string) error {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	updates := make(map[string]interface{})
 	updates["Read"] = false
 
@@ -501,6 +521,8 @@ func UnreadMessage(mailbox, id string) error {
 
 // DeleteOneMessage will delete a single message from a mailbox
 func DeleteOneMessage(mailbox, id string) error {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	q, err := db.FindById(mailbox, id)
 	if err != nil {
 		return err
@@ -519,6 +541,7 @@ func DeleteOneMessage(mailbox, id string) error {
 
 // DeleteAllMessages will delete all messages from a mailbox
 func DeleteAllMessages(mailbox string) error {
+	mailbox = sanitizeMailboxName(mailbox)
 
 	totalStart := time.Now()
 
diff --git a/storage/stats.go b/storage/stats.go
index 37a8162..f78b81e 100644
--- a/storage/stats.go
+++ b/storage/stats.go
@@ -15,6 +15,8 @@ var (
 
 // StatsGet returns the total/unread statistics for a mailbox
 func StatsGet(mailbox string) data.MailboxStats {
+	mailbox = sanitizeMailboxName(mailbox)
+
 	statsLock.Lock()
 	defer statsLock.Unlock()
 	s, ok := mailboxStats[mailbox]
diff --git a/storage/utils.go b/storage/utils.go
index f2bbb18..511ffdc 100644
--- a/storage/utils.go
+++ b/storage/utils.go
@@ -92,3 +92,11 @@ func pruneCron() {
 		}
 	}
 }
+
+// SanitizeMailboxName returns a clean mailbox name
+// allowing only `alphanumeric` characters and `-``
+func sanitizeMailboxName(mailbox string) string {
+	re := regexp.MustCompile(`[^a-zA-Z0-9\-]`)
+
+	return re.ReplaceAllString(mailbox, "")
+}

From 788e390e01efdda0513b617eceae64f424c97f11 Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Sun, 7 Aug 2022 00:09:32 +1200
Subject: [PATCH 4/8] Ignore http.RsponseWriter errors

---
 server/api.go               | 18 +++++++++---------
 server/server.go            |  2 +-
 server/websockets/client.go |  2 +-
 storage/database.go         |  4 ++--
 storage/utils.go            |  2 +-
 5 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/server/api.go b/server/api.go
index c00f850..e5f5662 100644
--- a/server/api.go
+++ b/server/api.go
@@ -29,7 +29,7 @@ func apiListMailboxes(w http.ResponseWriter, _ *http.Request) {
 
 	bytes, _ := json.Marshal(res)
 	w.Header().Add("Content-Type", "application/json")
-	w.Write(bytes)
+	_, _ = w.Write(bytes)
 }
 
 func apiListMailbox(w http.ResponseWriter, r *http.Request) {
@@ -62,7 +62,7 @@ func apiListMailbox(w http.ResponseWriter, r *http.Request) {
 
 	bytes, _ := json.Marshal(res)
 	w.Header().Add("Content-Type", "application/json")
-	w.Write(bytes)
+	_, _ = w.Write(bytes)
 }
 
 func apiSearchMailbox(w http.ResponseWriter, r *http.Request) {
@@ -102,7 +102,7 @@ func apiSearchMailbox(w http.ResponseWriter, r *http.Request) {
 
 	bytes, _ := json.Marshal(res)
 	w.Header().Add("Content-Type", "application/json")
-	w.Write(bytes)
+	_, _ = w.Write(bytes)
 }
 
 // Open a message
@@ -120,7 +120,7 @@ func apiOpenMessage(w http.ResponseWriter, r *http.Request) {
 
 	bytes, _ := json.Marshal(msg)
 	w.Header().Add("Content-Type", "application/json")
-	w.Write(bytes)
+	_, _ = w.Write(bytes)
 }
 
 // Download/view an attachment
@@ -143,7 +143,7 @@ func apiDownloadAttachment(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Add("Content-Type", a.ContentType)
 	w.Header().Set("Content-Disposition", "filename=\""+fileName+"\"")
-	w.Write(a.Content)
+	_, _ = w.Write(a.Content)
 }
 
 // View the full email source as plain text
@@ -165,7 +165,7 @@ func apiDownloadSource(w http.ResponseWriter, r *http.Request) {
 	if dl == "1" {
 		w.Header().Set("Content-Disposition", "attachment; filename=\""+id+".eml\"")
 	}
-	w.Write(data)
+	_, _ = w.Write(data)
 }
 
 // Delete all messages in the mailbox
@@ -181,7 +181,7 @@ func apiDeleteAll(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Add("Content-Type", "text/plain")
-	w.Write([]byte("ok"))
+	_, _ = w.Write([]byte("ok"))
 }
 
 // Delete a single message
@@ -198,7 +198,7 @@ func apiDeleteOne(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Add("Content-Type", "text/plain")
-	w.Write([]byte("ok"))
+	_, _ = w.Write([]byte("ok"))
 }
 
 // Mark single message as unread
@@ -215,7 +215,7 @@ func apiUnreadOne(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Add("Content-Type", "text/plain")
-	w.Write([]byte("ok"))
+	_, _ = w.Write([]byte("ok"))
 }
 
 // Websocket to broadcast changes
diff --git a/server/server.go b/server/server.go
index 65c111e..8c202a9 100644
--- a/server/server.go
+++ b/server/server.go
@@ -64,7 +64,7 @@ func Listen() {
 func basicAuthResponse(w http.ResponseWriter) {
 	w.Header().Set("WWW-Authenticate", `Basic realm="Login"`)
 	w.WriteHeader(http.StatusUnauthorized)
-	w.Write([]byte("Unauthorised.\n"))
+	_, _ = w.Write([]byte("Unauthorised.\n"))
 }
 
 type gzipResponseWriter struct {
diff --git a/server/websockets/client.go b/server/websockets/client.go
index 2b6f0e1..8499dce 100644
--- a/server/websockets/client.go
+++ b/server/websockets/client.go
@@ -133,5 +133,5 @@ func ServeWs(hub *Hub, w http.ResponseWriter, r *http.Request) {
 func basicAuthResponse(w http.ResponseWriter) {
 	w.Header().Set("WWW-Authenticate", `Basic realm="Login"`)
 	w.WriteHeader(http.StatusUnauthorized)
-	w.Write([]byte("Unauthorised.\n"))
+	_, _ = w.Write([]byte("Unauthorised.\n"))
 }
diff --git a/storage/database.go b/storage/database.go
index 4b83004..b2aa8f1 100644
--- a/storage/database.go
+++ b/storage/database.go
@@ -224,7 +224,7 @@ func Store(mailbox string, b []byte) (string, error) {
 	if err != nil {
 		// delete the summary because the data insert failed
 		logger.Log().Debugf("[db] error inserting raw message, rolling back")
-		DeleteOneMessage(mailbox, id)
+		_ = DeleteOneMessage(mailbox, id)
 
 		return "", err
 	}
@@ -567,7 +567,7 @@ func DeleteAllMessages(mailbox string) error {
 	}
 
 	// resets stats for mailbox
-	statsRefresh(mailbox)
+	_ = statsRefresh(mailbox)
 
 	elapsed := time.Since(totalStart)
 	logger.Log().Infof("Deleted %d messages from %s in %s", totalMessages, mailbox, elapsed)
diff --git a/storage/utils.go b/storage/utils.go
index 511ffdc..2cd2c19 100644
--- a/storage/utils.go
+++ b/storage/utils.go
@@ -84,7 +84,7 @@ func pruneCron() {
 				}
 				elapsed := time.Since(start)
 				logger.Log().Infof("Pruned %d messages from %s in %s", limit, m, elapsed)
-				statsRefresh(m)
+				_ = statsRefresh(m)
 				if !strings.HasSuffix(m, "_data") {
 					websockets.Broadcast("prune", nil)
 				}

From 544f0175d9968151df8fcd537f6399ea3fcb05fa Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Sun, 7 Aug 2022 00:26:18 +1200
Subject: [PATCH 5/8] Security: Don't allow tar files containing a ".."

---
 updater/targz.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/updater/targz.go b/updater/targz.go
index 4819b05..02d30c1 100644
--- a/updater/targz.go
+++ b/updater/targz.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"syscall"
 )
 
@@ -184,6 +185,10 @@ func extract(filePath string, directory string) error {
 		}
 
 		fileInfo := header.FileInfo()
+		// paths could contain a '..', is used in a file system operations
+		if strings.Contains(fileInfo.Name(), "..") {
+			continue
+		}
 		dir := filepath.Join(directory, filepath.Dir(header.Name))
 		filename := filepath.Join(dir, fileInfo.Name())
 

From 642487742c8ba27f1a24c68098bfaa81cff0677a Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Sun, 7 Aug 2022 01:04:55 +1200
Subject: [PATCH 6/8] Feature: Optional browser notifications (HTTPS only)

---
 server/ui-src/App.vue |  85 ++++++++++++++++++++++++++++++++++++++----
 server/ui/mailpit.png | Bin 0 -> 3044 bytes
 2 files changed, 78 insertions(+), 7 deletions(-)
 create mode 100644 server/ui/mailpit.png

diff --git a/server/ui-src/App.vue b/server/ui-src/App.vue
index 139076e..e846b83 100644
--- a/server/ui-src/App.vue
+++ b/server/ui-src/App.vue
@@ -21,7 +21,9 @@ export default {
 			searching: false,
 			isConnected: false,
 			scrollInPlace: false,
-			message: false
+			message: false,
+			notificationsSupported: false,
+			notificationsEnabled: false
 		}
 	},
 	watch: {
@@ -47,6 +49,10 @@ export default {
 			this.currentPath = window.location.hash.slice(1);
 		});
 
+		this.notificationsSupported = 'https:' == document.location.protocol 
+			&& ("Notification" in window && Notification.permission !== "denied");
+		this.notificationsEnabled = this.notificationsSupported && Notification.permission == "granted";
+
 		this.connect();
 		this.loadMessages();
 	},
@@ -214,6 +220,7 @@ export default {
 					}
 	                self.total++;
 					self.unread++;
+					self.browserNotify("New mail from: " + response.Data.From.Address, response.Data.Subject);
                 } else if (response.Type == "prune") {
 					// messages have been deleted, reload messages to adjust
 					self.scrollInPlace = true;
@@ -252,6 +259,41 @@ export default {
             let d = new Date(message.Created)
             return moment(d).fromNow().toString();
         },
+
+		browserNotify: function(title, message) {
+			if (!("Notification" in window)) {
+				return;
+			}
+
+			if (Notification.permission === "granted") {
+				let b = message.Subject;
+				let options = {
+					body: message,
+					icon: 'mailpit.png'
+				}
+				new Notification(title, options);
+			}
+		},
+
+		requestNotifications: function() {
+			// check if the browser supports notifications
+			if (!("Notification" in window)) {
+				alert("This browser does not support desktop notification");
+			}
+
+			// we need to ask the user for permission
+			else if (Notification.permission !== "denied") {
+				let self = this;
+				Notification.requestPermission().then(function (permission) {
+				// If the user accepts, let's create a notification
+					if (permission === "granted") {
+						self.browserNotify("Notifications enabled", "You will receive notifications when new mails are received.");
+						self.notificationsEnabled = true;
+					}
+				});
+			}
+		}
+
 	}
 }
 </script>
@@ -315,7 +357,7 @@ export default {
 	</div>
 	<div class="row flex-fill" style="min-height:0">
 		<div class="d-none d-md-block col-lg-2 col-md-3 mh-100 position-relative" style="overflow-y: auto;">
-			<ul class="list-unstyled mt-3">
+			<ul class="list-unstyled mt-3 mb-5">
 				<li v-if="isConnected" title="Messages will auto-load">
 					<i class="bi bi-power text-success"></i>
 					Connected
@@ -334,13 +376,19 @@ export default {
 						</span>
 					</a>
 				</li>
-				<li class="mt-3 mb-5">
-					<a v-if="total" href="#" data-bs-toggle="modal" data-bs-target="#deleteAllModal">
+				<li class="mt-3">
+					<a v-if="total" href="#" data-bs-toggle="modal" data-bs-target="#DeleteAllModal">
 						<i class="bi bi-trash-fill me-1 text-danger"></i>
 						Delete all
 					</a>
 				</li>
-				<li class="mt-5 position-fixed bottom-0 w-100">
+				<li class="mt-3" v-if="notificationsSupported && !notificationsEnabled">
+					<a href="#" data-bs-toggle="modal" data-bs-target="#EnableNotificationsModal" title="Enable browser notifications">
+						<i class="bi bi-bell"></i>
+						Enable alerts
+					</a>
+				</li>
+				<li class="mt-5 position-fixed bottom-0">
 					<a href="https://github.com/axllent/mailpit" target="_blank" class="text-muted w-100 d-block bg-white py-2">
 						<i class="bi bi-github"></i>
 						GitHub
@@ -400,11 +448,11 @@ export default {
 	</div>
 
 	<!-- Modal -->
-	<div class="modal fade" id="deleteAllModal" tabindex="-1" aria-labelledby="deleteAllModalLabel" aria-hidden="true">
+	<div class="modal fade" id="DeleteAllModal" tabindex="-1" aria-labelledby="DeleteAllModalLabel" aria-hidden="true">
 		<div class="modal-dialog">
 			<div class="modal-content">
 			<div class="modal-header">
-				<h5 class="modal-title" id="deleteAllModalLabel">Delete all messages?</h5>
+				<h5 class="modal-title" id="DeleteAllModalLabel">Delete all messages?</h5>
 				<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
 			</div>
 			<div class="modal-body">
@@ -418,4 +466,27 @@ export default {
 		</div>
 	</div>
 
+	<!-- Modal -->
+	<div class="modal fade" id="EnableNotificationsModal" tabindex="-1" aria-labelledby="EnableNotificationsModalLabel" aria-hidden="true">
+		<div class="modal-dialog modal-lg">
+			<div class="modal-content">
+			<div class="modal-header">
+				<h5 class="modal-title" id="EnableNotificationsModalLabel">Enable browser notifications?</h5>
+				<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+			</div>
+			<div class="modal-body">
+				<p class="h4">Get browser notifications when Mailpit receives a new mail?</p>
+				<p>
+					Note that your browser will ask you for confirmation when you click <code>enable notifications</code>,
+					and that you must have Mailpit open in a browser tab to be able to receive the notifications.
+				</p>
+			</div>
+			<div class="modal-footer">
+				<button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+				<button type="button" class="btn btn-primary" data-bs-dismiss="modal" v-on:click="requestNotifications">Enable notifications</button>
+			</div>
+			</div>
+		</div>
+	</div>
+
 </template>
diff --git a/server/ui/mailpit.png b/server/ui/mailpit.png
new file mode 100644
index 0000000000000000000000000000000000000000..dadbdd9562832ce3124e26b5aca19f63a75b187d
GIT binary patch
literal 3044
zcmV<A3mf!_P)<h;3K|Lk000e1NJLTq002P%002A)1^@s6IZM}C00004b3#c}2nYxW
zd<bNS00009a7bBm0005&0005&0gTzUK>z>%8FWQhbW?9;ba!ELWdL_~cP?peYja~^
zaAhuUa%Y?FJQ@H13t>q_K~!jg)tY;7RMj2FKfk-1ghWDpAigTT0A=z31_!iGEmef<
zhJcQZ(^lC;v5{J9?Yo3hw-Pp@ZB?YTr9P4+Qi-TYU^hft=-7@GrPl0HS_s$*)qyEk
zArKOF@2`I(8?wpWXLfD<&g{%R=l3|j``zC;_q>D{D0WnRRiHkW{F4WLAuzJ5hUcFT
z50=<snH=nR=dE)upL7J3>$4l&$AQ=cKpYYP4(xvC&2uJ9J_>w-iHJ`CBp?Cc;3t>}
z71jkucHI?^001NMP&E6tae!DU1$>P^2mN7&W6UZPT@##kNz4qGGWU-2BhURL7-Fj^
zc2+%#+ih4G1^nKXpA;e#T@##s={>mJrj@+ZQGH*iC*+Ehqh45)s**SMJ{FG%MVDkY
z<jg`vpG`!7qHY9@)LFc&%rD;d?y4CxX4tKq1pVH}Rrpb+g3csV^x5FFOTQkAfMSQM
zR#A7aF8w-||F|e$IFvv3S22n3HLm!7BO(C-Qe0N$5#)OV4I+=0B=p(ce5l}}U&kjx
z?@vGM%pnm0C64NP5$+yr7I}z60-)UV@BE9NnmV;6$4VUZc^~_q6QMN4%>YN$L!b+X
z2sA-=h*E}m-D6Iy9_Mi6S;>Pw?_+|vQ;9ocP?`c)U2?A_0hN`uVyA1Rz*nqHMUv_c
z0}PO|d>P}7MMS&5;ZZ~$OfvM$AOQg-$MSzJD!0ZmH^oeiguX^+=QF11;u+N=ti%Cd
z!-Fa;PukybkcfcJ{3lTPVget@cZWf^VPt{%Y%C&zzQ+2j6A_1iqRPtLlFougkXsVD
zk)#JkD`S=G3-iqvrdHGxSjmIF#(G5`O4V;tNI-ybEWZJmla#Mi#{>%x*Yt!=tSg;0
z|1>LU(C_tRoQOCCTwPh2FP#O?q2f&1-7vbt0LW+5FxC}S-aXPv8uWWT0uQI}e*h8?
z(Ain=oWOM{`5b;GL>zIobauuhqTS!P4B;okY6D#zi-4&WH3dgI^P7RsrSA9C;<A^7
zmbwel4N;J*r1RJdm(RVU&`KWgHP)q1gsu)uzw{ec1dMasI;tn!y<U*drsG-E7}Oo?
zazlDS_Bn*<xhF#{CFNf}!%80THP(UtG&QfW379&w=2Q9DUqqRfUc>+c=LwsaUII)=
z-&q7Q88c^n(d-3hT1f+b@6zOnh)uxc8>>(6&gotcTsfR*&8RU!b4pRMOyx8%$uL4M
z#mor5cPa3*_%75Ni-6Ku^T&j{)h{q*m~r;lOgR`S7+@A5GExn-T!W{9Nov|RTyeeY
zEGuEa-}nGAiBNA~`la_-&I6p)=bAQSBQP=T$VB%kEY+T#lJ?fd4UuXC<qFg+L^zbT
z^TBN)CH6e=6*;TVwUP(?jSr~kBhj_7379m;b%CL}Nz&@JY9hK7r24Gm?@bB%8-E)7
z?QahBi?_H(*ntZX={8J#U#<69(}F0M3+DRLS@Y+%x2--nSRV9we_ZTziKyHcHv=kM
zW6cmPz(uLFufjo5noK(lJ6gQ&4N=(SnSf32pi9aHzh@_Ke9DU5Wg*PnsWg;iIJ-lp
zId|vgrVlKHQsStd7w|W{%z(Lk1Vt6Du||j%kQ4~ezaU1#(c?V#kF5<SqC~zGc^F4;
z2JS-T+P>O93VzQaz=ost^b)5lfXao*H<%=Zj!-yU5rYUzOq^3a-frp!l=Bkls^~|e
z#&1MJ&$PET{e6f++tTrbZ8f0PAfpFK8wJ0o6F3diytsJfu5Suboot{f;=PdAD|Y&x
z`e!1=Nlw=UQ`rDwIi{RK@4udF%WdA?vg&x0sM(!MVctB@yXc)#$Li}#>_G2EiA}CS
z%uT4RI#G~mVyummFBi|cy&~B5%)VGklV(>Hg;m!Ja<-LRp-a$p20Z<a-~09ug_gPt
zu-R@y^d8VpCk{*Y*r9JVrE=Zq<NFsLD!Ax_WKu94h|0y-On>RD`4#PLtKS_gFD`SH
zng%b4%FxfN&><>KrfKsAH$QbaO18yq=R{sb-@kqXXew)>4#Dp^0E_|sHzQ7-SMt!_
zZ-XpK?e$W|ehHgVM3j_QO;uB05ajd$dOg5KL-px*TD^Z5;-zi*`Gm~*pm!sTO)HYH
zoGJL~cOg0+0F~>Dp4qoeIy>Kvm5v#MaDb4^3$!)-t<*Vxx~i;$zL~4=fud`3?Dkb}
zZ+QCsD7)rn8zXl)!KguSki?;K92~|`dzKy1eZcs>#&6&8{4ai2TJCy8O+3SJo*2qG
z*v$3C<*qt4WjScRqOGd>%#P`oy)tCZ(7NnAOv8nAECl1?3`NlaAox8ifv@#dcB5Q4
z?(x@-<jdJ_W#w}@6k!!zLCE&>kO9-}Hn=M9I#g?b8v)DnkF=qz!C8B&fwE&jbsoqa
z9e#heY3g?d9$ID*Hk66_sr(P4YTK5MXL{~#R9^uq$ut1~=pFzAo4yuRFIr1W-32>Z
zS8rD3$;>xA6oQl)oyT68=v;7WW;kofZba_|KFVU#9RLQi7YBj;0|cY68;=5XcF7VI
z-C<>&1x&Paa!Zk;>YDzVvc;P)nFjndJ55SoCIFzVgQQ=;S6A_mtqmu_hEbi#6=qzh
zoN2&|rOv7^_1Bfx?!s<-24!Q$+soCyOaL&&BJGWp_}rs*Zfw{s;cz8zEaO2~BTtnl
zN*vV>_Fopc;RheFt!Ey>16VAy(!^0_E<OMe63T1e0R9}MB8)|H8c>z?%}sw+xE<ld
zU{BeDE-cx$x2gYZ!|gUHtGyqU6&Z0a?1?;{nqI0tW}$f#{s(ITg8s%f)0B#jt!n^a
z9LdScKlRW1mwgk_uV=)ysTL%3j(-+p=rUAvDXsN)0_<pQcvH-<Gy8+39u@S?fUjZU
z_Lf!0X>PXR^E?jnGlqLs5`jqn-pMJ4x7-p2v(8E#)nDTGEC6V4ZTh>O*7bS7gOK$8
zfOR08Q1m|oe+b(otk<^tz3TvYd3hm)9UBqu8CF|E+Lr!Ih+bniH`^%ecoXa0Tm^na
z*`j6rM_6vRF}3A=+xG3NPG&T~2sYPUh-qvDN;B?T^g7BGZvm@~2A}712wUS=Zz4yl
zm|2_Mv0+o)l^Dhb$j-7J!yL=(AMOLI{^hLwJ@9;NYc1y_JMnuK#JcY|EV$hUe$N67
zV=LJr08a3F=wFe7^_J7C%g*5>L5uyk!3ZEc%;>Y8<I1~+*Cm>pZH(GG2Q}|!_=hWr
z@K+qQMUg`6J$8S6C1`V!P7eZWQF9I3Lfc|prW}H1cP=AyuSRq>hzm&jVAuj7dZ*h~
z<H-gbweuo{_y-Ms&y&D{6dON^=-a6L1#~~iVUQzW=7CWFdM3&Qge&?2w7lpsOoR}<
zmC>VL;^5(j5&cHASRTQ#=v$GJ<wea?uhVlkg}LKM?fk#6Z%_Z)QyeS3&wcZr%$@OA
zp$8Qgj@n2T--oaMbwr;8BKIgd1{%a4*luz6ki*Tuu8fD89UMWV9Ot67QMJxRYYE$?
zA-c1-!rU`ZoOpDfS$hc489;lcBFz%sMT~1HTlA`>bk6s8l6P_%!dldf%7o+-b7TD(
z*t7+>CZX=f4%visyC`!XPOJ;4N_uye<}CV<5j`^zT@GaG7=O6vLgfd%(LFb50wC(r
z7Nk2w`RiwZHjv^;afabT!}sD`vL~@>e55~4x3~+i<<=m47dStme&(<pm0FyO+A`&E
z_#dk+?h$n7EI{R}Kv6>d^biJK0euw5;?0?Mp4l(<re%|{85O9`ruSl%<*oQ6VS@Y#
z(U&o8YjA#le`1sLkiBWk7Pp<_BPJr@DTpx{^s?Tyh>ix%21Wr#P>v$f1$>C=UWA>9
myhT^{pSa2WpRC0<0RII{z?*oje%)>W0000<MNUMnLSTXsgUY@D

literal 0
HcmV?d00001


From 39132723dbc0bf3da3e5b022ad06866deafc44c7 Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Sun, 7 Aug 2022 01:07:04 +1200
Subject: [PATCH 7/8] Update README

---
 README.md | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/README.md b/README.md
index f52959b..1dc3a32 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,7 @@ Mailpit is inspired by [MailHog](#why-rewrite-mailhog), but much, much faster.
 - SMTP server (default `0.0.0.0:1025`)
 - Web UI to view emails (HTML format, text, source and MIME attachments, default `0.0.0.0:8025`)
 - Real-time web UI updates using web sockets for new mail
+- Optional browser notifications for new mail (HTTPS only)
 - Configurable automatic email pruning (default keeps the most recent 500 emails)
 - Email storage either in memory or disk ([see wiki](https://github.com/axllent/mailpit/wiki/Email-storage))
 - Fast SMTP processing & storing - approximately 300-600 emails per second depending on CPU, network speed & email size
@@ -25,11 +26,6 @@ Mailpit is inspired by [MailHog](#why-rewrite-mailhog), but much, much faster.
 - Multi-architecture [Docker images](https://github.com/axllent/mailpit/wiki/Docker-images)
 
 
-## Planned features
-
-- Browser notifications for new mail (HTTPS only)
-
-
 ## Installation
 
 Download a pre-built binary in the [releases](https://github.com/axllent/mailpit/releases/latest). The `mailpit` can be placed in your `$PATH`, or simply run as `./mailpit`. See `mailpit -h` for options.

From cf8994ceaf370677336e1d8c6d34f113f9e780e6 Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Sun, 7 Aug 2022 01:07:58 +1200
Subject: [PATCH 8/8] Release 0.1.2

---
 CHANGELOG.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5312bb7..27be4b7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,17 @@
 Notable changes to Mailpit will be documented in this file.
 
 
+## 0.1.2
+
+### Feature
+- Optional browser notifications (HTTPS only)
+
+### Security
+- Don't allow tar files containing a ".."
+- Sanitize mailbox names
+- Use strconv.Atoi() for safe string to int conversions
+
+
 ## 0.1.1
 
 ### Bugfix