Merge branch 'security/4.4.7-releng' into 4.4.7-releng

bestpractical · Oct 19, 2023 · 33e9203 · 33e9203
2 parents 2c63541 + 42124d3
commit 33e9203
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 8 deletions.
diff --git a/docs/web_deployment.pod b/docs/web_deployment.pod
@@ -171,6 +171,30 @@ B<WARNING: mod_perl 1.99_xx is not supported.>
 To run RT using mod_perl 1.xx please see L<Plack::Handler::Apache1> for
 configuration examples.
 
+=head3 Restricting the REST 1.0 mail-gateway
+
+RT processes email via a REST 1.0 endpoint. If you accept email on the same
+server as your running RT, you can restrict this endpoint to localhost only
+with a configuration like the following:
+
+    # Accept requests only from localhost
+    <Location /REST/1.0/NoAuth/mail-gateway>
+        Require local
+    </Location>
+
+If you run C<bin/rt-mailgate> on a separate server, you can update
+the above to allow additional IP addresses.
+
+    <Location /REST/1.0/NoAuth/mail-gateway>
+        Require ip 127.0.0.1 ::1 192.0.2.0  # Add your actual IPs
+    </Location>
+
+See the L<Apache documentation|https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html>
+for additional configuration options.
+
+After adding this configuration, test receiving email and confirm
+your C<bin/rt-mailgate> utility and C</etc/aliases> configurations
+can successfully submit email to RT.
 
 =head2 nginx
 

diff --git a/lib/RT/Interface/Email.pm b/lib/RT/Interface/Email.pm
@@ -159,6 +159,10 @@ sub Gateway {
         );
     }
 
+    # Clean up sensitive headers. Crypt related headers are cleaned up in RT::Interface::Email::Crypt::VerifyDecrypt
+    my @headers = qw( RT-Attach RT-Send-Cc RT-Send-Bcc RT-Message-ID RT-DetectedAutoGenerated RT-Squelch-Replies-To );
+    $Message->head->delete($_) for @headers;
+
     #Set up a queue object
     my $SystemQueueObj = RT::Queue->new( RT->SystemUser );
     $SystemQueueObj->Load( $args{'queue'} );

diff --git a/lib/RT/Interface/Email/Crypt.pm b/lib/RT/Interface/Email/Crypt.pm
@@ -73,13 +73,14 @@ sub VerifyDecrypt {
     );
 
     # we clean all possible headers
-    my @headers =
+    my @headers = (
         qw(
             X-RT-Incoming-Encryption
             X-RT-Incoming-Signature X-RT-Privacy
             X-RT-Sign X-RT-Encrypt
         ),
-        map "X-RT-$_-Status", RT::Crypt->Protocols;
+        map "X-RT-$_-Status", RT::Crypt->Protocols
+    );
     foreach my $p ( $args{'Message'}->parts_DFS ) {
         $p->head->delete($_) for @headers;
     }

diff --git a/share/html/REST/1.0/NoAuth/mail-gateway b/share/html/REST/1.0/NoAuth/mail-gateway
@@ -59,9 +59,18 @@ use RT::Interface::Email;
 $r->content_type('text/plain; charset=utf-8');
 $m->error_format('text');
 my ( $status, $error, $Ticket ) = RT::Interface::Email::Gateway( \%ARGS );
+
+# Obscure the message to avoid any information disclosure unless
+# in DevelMode.
+my $log_error;
+unless ( RT->Config->Get('DevelMode') ) {
+    $log_error = $error;
+    $error = 'operation unsuccessful';
+}
+
 if ( $status == 1 ) {
   $m->out("ok\n");
-  if ( $Ticket && $Ticket->Id ) {
+  if ( $Ticket && $Ticket->Id && RT->Config->Get('DevelMode') ) {
     $m->out( 'Ticket: '  . ($Ticket->Id             || '') . "\n" );
     $m->out( 'Queue: '   . ($Ticket->QueueObj->Name || '') . "\n" );
     $m->out( 'Owner: '   . ($Ticket->OwnerObj->Name || '') . "\n" );
@@ -73,9 +82,11 @@ if ( $status == 1 ) {
 }
 else {
   if ( $status == -75 ) {
+    RT->Logger->error("mail-gateway returned status -75: $log_error") if $log_error;
     $m->out( "temporary failure - $error\n" );
   }
   else {
+    RT->Logger->error("mail-gateway error: $log_error") if $log_error;
     $m->out( "not ok - $error\n" );
   }
 }

diff --git a/t/mail/gateway.t b/t/mail/gateway.t
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 
 
-use RT::Test config => 'Set( @MailPlugins, "Action::Take", "Action::Resolve");', tests => undef, actual_server => 1;
+use RT::Test config => 'Set( @MailPlugins, "Action::Take", "Action::Resolve"); Set($DevelMode, 1);', tests => undef, actual_server => 1;
 my ($baseurl, $m) = RT::Test->started_ok;
 
 use RT::Tickets;

diff --git a/t/mail/han-encodings.t b/t/mail/han-encodings.t
@@ -1,7 +1,7 @@
 use strict;
 use warnings;
 
-use RT::Test tests => undef, actual_server => 1;
+use RT::Test tests => undef, config => 'Set($DevelMode, 1);', actual_server => 1;
 
 # we can't simply call Encode::HanExtra->require here because we are testing
 # if Encode::HanExtra could be automatically loaded.

diff --git a/t/mail/sendmail-plaintext.t b/t/mail/sendmail-plaintext.t
@@ -132,7 +132,7 @@ for my $encoding ('ISO-8859-1', 'UTF-8') {
 {
     my ($ticket) = mail_in_ticket('rt-send-cc');
     my $cc = first_attach($ticket)->GetHeader('RT-Send-Cc');
-    like ($cc, qr/test$_/, "Found test $_") for 1..5;
+    ok (!$cc, "No RT-Send-Cc"); # RT-Send-Cc is supposed to be cleared
 }
 
 {

diff --git a/t/mail/sendmail.t b/t/mail/sendmail.t
@@ -157,7 +157,7 @@ for my $encoding ('ISO-8859-1', 'UTF-8') {
 {
     my ($ticket) = mail_in_ticket('rt-send-cc');
     my $cc = first_attach($ticket)->GetHeader('RT-Send-Cc');
-    like ($cc, qr/test$_/, "Found test $_") for 1..5;
+    ok (!$cc, "No RT-Send-Cc"); # RT-Send-Cc is supposed to be cleared
 }
 
 {

diff --git a/t/ticket/interface.t b/t/ticket/interface.t
@@ -1,7 +1,7 @@
 use strict;
 use warnings;
 
-use RT::Test tests => undef, actual_server => 1;
+use RT::Test tests => undef, config => 'Set($DevelMode, 1);', actual_server => 1;
 
 my ( $baseurl, $m ) = RT::Test->started_ok;