scripte/archivmail
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): Email-Matching, LDAP-Validierung, Auditor-Isolation

Browse Source 
- mailBelongsToUser: net/mail.ParseAddressList statt strings.Contains
  verhindert False-Positives durch Display-Namen in Mail-Headern
- LDAP mail-Attribut: net/mail.ParseAddress-Validierung vor Übernahme,
  Fallback auf username / username@ldap.local bei ungültiger Adresse
- handleSearch: Auditor-Rolle in userEmailFilter-Check eingeschlossen,
  sodass Auditoren im Search-Pfad dieselbe Mail-Isolation erhalten wie User

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
sysops
2026-04-04 01:18:34 +02:00
parent 36d8db1574
commit 22cbfb5df6
2 changed files with 56 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/auth.go
+11
View File
@@ -9,6 +9,7 @@ import (
"errors"
"fmt"
"io"
"net/mail"
"strings"
"time"
@@ -117,6 +118,11 @@ func (m *Manager) Login(username, password string) (token string, user *userstor
}
}
email := attrs["mail"]
if email != "" {
if _, err := mail.ParseAddress(email); err != nil {
email = "" // invalid mail attribute — fall back
}
}
if email == "" {
email = username
}
@@ -163,6 +169,11 @@ func (m *Manager) Login(username, password string) (token string, user *userstor
}
}
email := attrs["mail"]
if email != "" {
if _, err := mail.ParseAddress(email); err != nil {
email = "" // invalid mail attribute — fall back
}
}
if email == "" {
email = username + "@ldap.local"
}