From 2a80bb01ac1a41d5e5fcd70c7a37f62c5c93e8a9 Mon Sep 17 00:00:00 2001 From: "Patrick.St" <72972659+pstuhlmueller@users.noreply.github.com> Date: Tue, 21 Feb 2023 16:13:07 +0100 Subject: [PATCH 1/4] fix: Incorrect use of the Walrus operator Incorrect use of the Walrus operator leads to unintended behavior for if-condition: "None" will be appended to cc. --- frappe/core/doctype/communication/mixins.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/core/doctype/communication/mixins.py b/frappe/core/doctype/communication/mixins.py index 7b6427d1c2..7b34208019 100644 --- a/frappe/core/doctype/communication/mixins.py +++ b/frappe/core/doctype/communication/mixins.py @@ -70,7 +70,7 @@ class CommunicationEmailMixin: if include_sender: cc.append(self.sender_mailid) if is_inbound_mail_communcation: - if (doc_owner := self.get_owner()) not in frappe.STANDARD_USERS: + if (doc_owner := self.get_owner()) and (doc_owner not in frappe.STANDARD_USERS): cc.append(doc_owner) cc = set(cc) - {self.sender_mailid} cc.update(self.get_assignees()) From 841557338b69d455a683ce4f02e8c76a12016b49 Mon Sep 17 00:00:00 2001 From: "Patrick.St" <72972659+pstuhlmueller@users.noreply.github.com> Date: Tue, 21 Feb 2023 16:24:02 +0100 Subject: [PATCH 2/4] fix: sending mails to unintended recipients as cc Security vulnerability: Unintentionally, all incoming emails are sent as CC to all users in a ToDo as "allocated_to" with the status "Open" --- frappe/core/doctype/communication/mixins.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/frappe/core/doctype/communication/mixins.py b/frappe/core/doctype/communication/mixins.py index 7b34208019..22b7e8a0fc 100644 --- a/frappe/core/doctype/communication/mixins.py +++ b/frappe/core/doctype/communication/mixins.py @@ -216,7 +216,11 @@ class CommunicationEmailMixin: "reference_name": self.reference_name, "reference_type": self.reference_doctype, } - return ToDo.get_owners(filters) + + if self.reference_doctype == "ToDo" and self.reference_name != None: + return ToDo.get_owners(filters) + else: + return [] @staticmethod def filter_thread_notification_disbled_users(emails): From aab37e0a6ca59727edf7c48ee9bc64d09677fcea Mon Sep 17 00:00:00 2001 From: Suraj Shetty <13928957+surajshetty3416@users.noreply.github.com> Date: Fri, 31 Mar 2023 13:31:18 +0530 Subject: [PATCH 3/4] fix: Check if reference_name is set --- frappe/core/doctype/communication/mixins.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/core/doctype/communication/mixins.py b/frappe/core/doctype/communication/mixins.py index 22b7e8a0fc..52ea93d829 100644 --- a/frappe/core/doctype/communication/mixins.py +++ b/frappe/core/doctype/communication/mixins.py @@ -217,7 +217,7 @@ class CommunicationEmailMixin: "reference_type": self.reference_doctype, } - if self.reference_doctype == "ToDo" and self.reference_name != None: + if self.reference_doctype and self.reference_name: return ToDo.get_owners(filters) else: return [] From 7a92a604e0686e1679c6df3ecce7a9f38e0c1506 Mon Sep 17 00:00:00 2001 From: Suraj Shetty <13928957+surajshetty3416@users.noreply.github.com> Date: Fri, 31 Mar 2023 14:03:49 +0530 Subject: [PATCH 4/4] style: Fix formatting --- frappe/email/smtp.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/frappe/email/smtp.py b/frappe/email/smtp.py index 5e1b5ef296..3b22bc4ce4 100644 --- a/frappe/email/smtp.py +++ b/frappe/email/smtp.py @@ -69,9 +69,7 @@ class SMTPServer: if not self.server: frappe.msgprint( - _( - "Email Account not setup. Please create a new Email Account from Settings > Email Account" - ), + _("Email Account not setup. Please create a new Email Account from Settings > Email Account"), raise_exception=frappe.OutgoingEmailError, )