eric/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-03-03 03:37:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,722 Commits 2 Branches 182 Tags
develop
Commit Graph

422 Commits

Author SHA1 Message Date
Ralph Slooten
10ad4df8cc Security: Prevent Server-Side Request Forgery (SSRF) via Link Check API ([GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3)) 
By default all internal HTTP requests are now blocked, unless mailpit is started with the `--allow-internal-http-requests` flag (env  `MP_ALLOW_INTERNAL_HTTP_REQUESTS=true`).
 2026-02-24 14:22:02 +13:00
Ralph Slooten
08ed46fc46 Use const instead of let 2026-02-21 22:43:51 +13:00
Ralph Slooten
c8caa29e24 Fix: Enable "Mark all read" button (Inbox) when new message is received 2026-02-09 15:38:11 +13:00
Ralph Slooten
7d314d2b50 Chore: Add CORS error logging and update error messages for failed CORS requests 2026-02-08 11:19:54 +13:00
Ralph Slooten
9d2f30787a Fix spelling 2026-02-08 11:17:17 +13:00
Ralph Slooten
e6fd638067 Detect if copy to clipboard is supported 2026-02-01 16:09:49 +13:00
Ralph Slooten
e2b1b2d0fe Code cleanup 2026-02-01 15:58:31 +13:00
Ralph Slooten
9b4ec97483 Minor UI tweaks 2026-02-01 15:44:13 +13:00
Ralph Slooten
dd74d46880 Feature: Option to display/hide attachment information in message view in web UI including checksums, content type & disposition 
Resolves #625
 2026-02-01 15:34:06 +13:00
Ralph Slooten
0bfbb4cc5f Feature: Include message attachment checksums (MD5, SHA1 & SHA254) in API message summary 2026-02-01 15:34:05 +13:00
Roman Urbanovich
9391b075d0 Chore: Add support for webhook delay (#627) 2026-02-01 15:33:54 +13:00
Ralph Slooten
8d18618e4a Test: Add CORS tests 2026-02-01 15:33:53 +13:00
Ralph Slooten
a63bcd9bd3 Chore: Add support for multi-origin CORS settings and apply to events websocket (#630) 2026-02-01 15:33:53 +13:00
Ralph Slooten
b9f36312d7 Fix: Avoid error on image type assertion in thumbnail generation 
Use imaging.Clone to ensure the image is always *image.NRGBA, preventing panics when decoding non-NRGBA images (e.g., JPEGs as *image.YCbCr).
 2026-01-25 10:05:39 +13:00
Ralph Slooten
7cda4a36f1 Chore: Allow @ character in message tags & set max length to 100 characters per tag 2026-01-17 11:12:45 +13:00
Ralph Slooten
3108d82e06 Fix: Correctly render default addresses in release modal after settings change (#594) 2026-01-10 22:19:18 +13:00
Ralph Slooten
c5c9292863 More reliable handling for default release email editing 2026-01-10 15:56:19 +13:00
Ralph Slooten
6f1f4f34c9 Security: Prevent Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data [CVE-2026-22689](https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm) 2026-01-10 15:42:14 +13:00
Ralph Slooten
877a9159ce Delay bootstrap-tags init until after render 2026-01-08 16:23:24 +13:00
Ralph Slooten
c4582889ad Update default release address wording 2026-01-08 16:20:00 +13:00
Ralph Slooten
392904fd23 Chore: Avoid empty URL query parameter when returning to inbox from message view 2026-01-08 16:03:35 +13:00
Ralph Slooten
f0160c0e29 Feature: Allow default mail addresses to be set when releasing message (#594) 2026-01-08 16:03:35 +13:00
Ralph Slooten
f9024d1f77 Chore: Remove webkit warnings about missing template / render functions 2026-01-08 16:03:34 +13:00
Ralph Slooten
3b9b470c09 Security: Restrict screenshot proxy to only support asset links contained in messages [CVE-2026-21859](https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr) 
This fix prevents unrestricted network probing via the screenshot proxy by limiting requests to images, fonts and CSS links found within a message, and returns a generic HTTP error to the client when unsupported content types are requested, not found, or otherwise disallowed.

See CWE-918 Server-Side Request Forgery (SSRF)
 2026-01-06 15:33:50 +13:00
Ralph Slooten
93088f3361 Chore: Add type assertion for value in imaging assignment 2025-11-09 11:33:51 +13:00
Ralph Slooten
5ad8619893 Fix: Prevent potential information disclosure via indirect expvar library (Prometheus) 
This is a security fix which prevents potential information disclosure due to a pre-registered HTTP route. The Prometheus client imports the go stdlib expvar, which in turn is auto-registers `/debug/vars` on the default servemux. This fix ensures no default/global routes are inherited via the http library.
 2025-10-08 17:32:05 +13:00
Ralph Slooten
99ab38fbba Chore: Add tooltip to messages nav dropdown 2025-10-08 17:32:05 +13:00
Ralph Slooten
ae65312d02 Chore: Update navbar theme to use data-bs-theme attribute for consistency 2025-09-26 14:50:27 +12:00
Ralph Slooten
0770bd8d19 Chore: Add margin to icons in release and delete buttons for consistent spacing 2025-09-26 14:50:06 +12:00
Ralph Slooten
e2314fb3b9 Chore: UI tweaks to pagination layout for clearer navigation (#568) 2025-09-26 14:48:51 +12:00
Ralph Slooten
5a4d13b15a Security: Prevent integer overflow conversion to uint64 2025-07-25 20:33:27 +12:00
Ralph Slooten
2a7aa33a0a Fix: Do not check latest release for Prometheus statistics (#522) 2025-07-25 20:33:20 +12:00
Ralph Slooten
cce21854b9 Chore: Refactor JS functions and remove unused parameters 2025-07-24 17:27:11 +12:00
Ralph Slooten
f3e3536cdb Feature: Add ability to generate self-signed (snakeoil) certificates for UI, SMTP and POP3 (#539) 2025-07-24 17:02:50 +12:00
Ralph Slooten
75504c7bba Fix: Support angle brackets for text/plain URLs with spaces (#535) 2025-07-18 23:43:05 +12:00
Ralph Slooten
2d1fb7cf14 Chore: Allow unknown href link protocols in HTML view such as myapp:// (#532) 2025-07-01 08:01:09 +12:00
Ralph Slooten
e29883fa1c Chore: Refactor API Swagger definitions and remove unused structs 
- Removed deprecated `thumbnailParams` struct from `thumbnails.go`.
- Updated `server_test.go` to use an anonymous struct for response unmarshalling.
- Enhanced `swagger.json` with detailed definitions for SendRequest and SendMessageResponse.
- Introduced new `swaggerParams.go` to define Swagger parameters for various API endpoints.
- Created `swaggerResponses.go` to define Swagger responses for API endpoints.
- Cleaned up unused JSON error message definitions and consolidated error responses.
- Improved documentation for Chaos triggers and web UI configuration responses.
 2025-06-22 15:25:22 +12:00
Ralph Slooten
f99d9ecf69 Chore: Refactor error handling and resource management across multiple files (golangci-lint) 
- Updated error handling to use the error return value for resource closures in tests and functions, ensuring proper error reporting.
- Replaced direct calls to `Close()` with deferred functions that handle errors gracefully.
- Improved readability by using `strings.ReplaceAll` instead of `strings.Replace` for string manipulation.
- Enhanced network connection handling by adding default cases for unsupported network types.
- Updated HTTP response handling to use the appropriate status codes and error messages.
- Removed unused variables and commented-out code to clean up the codebase.
 2025-06-22 15:25:21 +12:00
Ralph Slooten
3fff79e29f Chore: Apply linting to all JavaScript/Vue files with eslint & prettier 2025-06-20 23:26:06 +12:00
Ben Edmunds
95e3ef6fca Feature: Allow version checking to be disabled (#524) 2025-06-19 22:29:20 +12:00
Ralph Slooten
4b5ce0afed Feature: Store username with messages, auto-tag, and UI display (#521) 2025-06-18 16:41:04 +12:00
Ralph Slooten
fed20de522 Feature: Add relay config to preserve (keep) original Message-IDs when relaying messages (#515) 2025-06-07 11:38:25 +12:00
Ben Edmunds
82d7bdc971 Feature: Add Prometheus exporter (#505) 2025-06-06 14:33:49 +12:00
Ben Edmunds
9bfdeb5f7b Feature: Send API allow separate auth (#504) 
Co-authored-by: Ben Edmunds <ben.edmunds@dotdigital.com>
 2025-05-30 08:34:40 +12:00
Ralph Slooten
c5b3edf87d Fix: Ignore basic auth for OPTIONS requests to API when CORS is set 
Web browsers do not send authorization headers for  preflight requests.
 2025-05-30 00:00:05 +12:00
Ralph Slooten
b84b428434 Chore: Add note to swagger docs about API date formats 2025-05-25 09:56:53 +12:00
Ralph Slooten
91409310d7 Chore: Lighten outline-secondary buttons in dark mode 2025-05-23 23:19:54 +12:00
Ralph Slooten
74c6a0a434 Chore: Switch from unnecessary float64 to uint64 API values for App Information, message & attachment sizes 2025-05-20 16:51:02 +12:00
Ralph Slooten
a1c2690c44 Use text-muted instead of text-secondary 2025-05-18 10:31:39 +12:00
Ralph Slooten
bf5609a39b Chore: Adjust UI margin for side navigation 2025-05-18 10:31:36 +12:00