eric/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-06-27 22:46:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,812 Commits 2 Branches 191 Tags
8b4c9d1267ee8c2b617dd2c2a080e788ca00ad96
Commit Graph

450 Commits

Author SHA1 Message Date
Ralph Slooten
8b4c9d1267 Update AppAbout.vue: Enhance version notification display for stable and development builds 2026-05-10 10:41:38 +12:00
Ralph Slooten
4502cdc358 Handle error in writePump when sending ping messages 2026-05-09 17:06:14 +12:00
Ralph Slooten
fbb63c89dd Chore: Simplify writePump by using WriteMessage and remove unnecessary newline handling 2026-05-09 17:05:22 +12:00
Ralph Slooten
71bd44bbb5 Chore: Ensure websocket connection is closed on client unregistration 2026-05-09 17:02:48 +12:00
Ralph Slooten
b997fff7eb Chore: Refactor Hub to use atomic clientCount for safe concurrent client tracking 2026-05-09 17:01:47 +12:00
Ralph Slooten
10430f7dce Chore: Improve iframe height adjustment with optional chaining 2026-05-05 17:41:17 +12:00
Ralph Slooten
878c68bb49 Chore: Replace lithammer/shortuuid with custom shortuuid implementation and update tests 2026-05-05 17:09:55 +12:00
Ralph Slooten
3b2423bdf1 Chore: Remove gorilla/mux dependency and replace with stdlib routing 2026-05-05 16:47:51 +12:00
Ralph Slooten
9dd1e99f52 Fixes for eslint validation 2026-03-29 17:40:43 +13:00
Ralph Slooten
dc9b8d54b7 Security: Add sandbox attribute to message iframe for extra later of security (already protected via CSP headers) 
Note that this does not provide any additional security as such as the CSP headers do this, however it is another barrier when it comes to bypass attempts.
 2026-03-28 08:01:51 +13:00
Ralph Slooten
b8cc1bc415 Fix typo 2026-03-26 07:47:20 +13:00
Ralph Slooten
9c2359eee5 Feature: Add filter functionality to message headers tab 
This implementation is based on, and resolves, #626
 2026-03-22 17:40:54 +13:00
Ralph Slooten
7b22d6a5f9 Fix: Refactor webhook delay & rate limit logic to ignore endpoint response times & prevent hardcoded 1000 message limit when set to 0 (#656) 2026-03-16 22:29:45 +13:00
Ralph Slooten
70037e96f4 Chore: Update Content-Disposition header to use inline display and escape filename 2026-03-10 12:03:35 +13:00
Ralph Slooten
140633718c Chore: Limit subject length to 100 characters in browser notifications 2026-03-10 11:31:21 +13:00
Ralph Slooten
f40911c580 Security: Escape ContentID in HTML replacement to prevent regex injection 2026-03-10 11:27:47 +13:00
Ralph Slooten
3073ef9afe Chore: Replace localStorage retrieval with a dedicated function for default release addresses 2026-03-10 11:20:33 +13:00
Ralph Slooten
804d49b7ca Chore: Set margin & padding to HTML screenshot to prevent transparent top/left border 2026-03-10 11:09:28 +13:00
Ralph Slooten
7d29dff5e7 Security: Enhance HTML sanitization in screenshot generation 2026-03-10 10:24:40 +13:00
Ralph Slooten
bc8a737d4f Chore: Simplify HTML decoding function in screenshot generation using DOMParser 2026-03-10 10:04:47 +13:00
Ralph Slooten
b99be839a0 Security: Enhance HTML sanitization in message view 2026-03-10 10:02:10 +13:00
Ralph Slooten
a72d42c8d4 Chore: Set timeout for HTTP client in webhook Send function 2026-03-09 12:34:50 +13:00
Ralph Slooten
f8052e1d56 Security: Limit proxy requests to 50MB to prevent OOM attacks 2026-03-09 12:31:17 +13:00
Ralph Slooten
267bf8b639 Security: Enhance CORS origin handling to respect host:port distinctions 2026-03-09 12:30:56 +13:00
Ralph Slooten
bb6bdf629d Chore: Refactor events websocket middleware 2026-03-09 11:20:45 +13:00
Ralph Slooten
a0a4ebb943 Chore: Refactor API send authentication logic 2026-03-09 11:08:19 +13:00
Ville Skyttä
2afc52c6fe Chore: Refactor code with go fix 
Done with `go fix ./...` using go 1.26.0.
 2026-03-03 16:03:28 +13:00
Ralph Slooten
7bb330a07a Chore: Use last release + git hash in Docker edge versions 2026-03-02 22:38:38 +13:00
Ralph Slooten
10ad4df8cc Security: Prevent Server-Side Request Forgery (SSRF) via Link Check API ([GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3)) 
By default all internal HTTP requests are now blocked, unless mailpit is started with the `--allow-internal-http-requests` flag (env  `MP_ALLOW_INTERNAL_HTTP_REQUESTS=true`).
 2026-02-24 14:22:02 +13:00
Ralph Slooten
08ed46fc46 Use const instead of let 2026-02-21 22:43:51 +13:00
Ralph Slooten
c8caa29e24 Fix: Enable "Mark all read" button (Inbox) when new message is received 2026-02-09 15:38:11 +13:00
Ralph Slooten
7d314d2b50 Chore: Add CORS error logging and update error messages for failed CORS requests 2026-02-08 11:19:54 +13:00
Ralph Slooten
9d2f30787a Fix spelling 2026-02-08 11:17:17 +13:00
Ralph Slooten
e6fd638067 Detect if copy to clipboard is supported 2026-02-01 16:09:49 +13:00
Ralph Slooten
e2b1b2d0fe Code cleanup 2026-02-01 15:58:31 +13:00
Ralph Slooten
9b4ec97483 Minor UI tweaks 2026-02-01 15:44:13 +13:00
Ralph Slooten
dd74d46880 Feature: Option to display/hide attachment information in message view in web UI including checksums, content type & disposition 
Resolves #625
 2026-02-01 15:34:06 +13:00
Ralph Slooten
0bfbb4cc5f Feature: Include message attachment checksums (MD5, SHA1 & SHA254) in API message summary 2026-02-01 15:34:05 +13:00
Roman Urbanovich
9391b075d0 Chore: Add support for webhook delay (#627) 2026-02-01 15:33:54 +13:00
Ralph Slooten
8d18618e4a Test: Add CORS tests 2026-02-01 15:33:53 +13:00
Ralph Slooten
a63bcd9bd3 Chore: Add support for multi-origin CORS settings and apply to events websocket (#630) 2026-02-01 15:33:53 +13:00
Ralph Slooten
b9f36312d7 Fix: Avoid error on image type assertion in thumbnail generation 
Use imaging.Clone to ensure the image is always *image.NRGBA, preventing panics when decoding non-NRGBA images (e.g., JPEGs as *image.YCbCr).
 2026-01-25 10:05:39 +13:00
Ralph Slooten
7cda4a36f1 Chore: Allow @ character in message tags & set max length to 100 characters per tag 2026-01-17 11:12:45 +13:00
Ralph Slooten
3108d82e06 Fix: Correctly render default addresses in release modal after settings change (#594) 2026-01-10 22:19:18 +13:00
Ralph Slooten
c5c9292863 More reliable handling for default release email editing 2026-01-10 15:56:19 +13:00
Ralph Slooten
6f1f4f34c9 Security: Prevent Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data [CVE-2026-22689](https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm) 2026-01-10 15:42:14 +13:00
Ralph Slooten
877a9159ce Delay bootstrap-tags init until after render 2026-01-08 16:23:24 +13:00
Ralph Slooten
c4582889ad Update default release address wording 2026-01-08 16:20:00 +13:00
Ralph Slooten
392904fd23 Chore: Avoid empty URL query parameter when returning to inbox from message view 2026-01-08 16:03:35 +13:00
Ralph Slooten
f0160c0e29 Feature: Allow default mail addresses to be set when releasing message (#594) 2026-01-08 16:03:35 +13:00