Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

16.0 - Migration mail_embed_image #1402

Open
wants to merge 18 commits into
base: 16.0
Choose a base branch
from
Open

16.0 - Migration mail_embed_image #1402

wants to merge 18 commits into from

Conversation

imlopes
Copy link

@imlopes imlopes commented Jun 17, 2024

No description provided.

@imlopes imlopes marked this pull request as ready for review June 17, 2024 17:21
cyrilmanuel
cyrilmanuel approved these changes Jun 18, 2024
View reviewed changes
Copy link

@cyrilmanuel cyrilmanuel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not an expert but LGTM

mail_embed_image/__manifest__.py Outdated Show resolved Hide resolved
mail_embed_image/models/ir_mail_server.py
).decode("utf-8")
image_content = response.content
filepart = MIMEImage(image_content)
filepart.add_header("Content-ID", f"<{cid}>")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ask : shall not be the cid.encode("utf-8") ?

@OCA-git-bot
Copy link
Contributor

This PR has the approved label and has been created more than 5 days ago. It should therefore be ready to merge by a maintainer (or a PSC member if the concerned addon has no declared maintainer). 🤖

hbrunn
hbrunn requested changes Jul 5, 2024
View reviewed changes
mail_embed_image/models/ir_mail_server.py
src = img.get("src")
if src and not src.startswith("data:") and not src.startswith("base64:"):
try:
response = requests.get(src, timeout=10)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the reason the original did the fetching in a somewhat roundabout way is that what you do here allows malicious users to craft emails to themselves and have Odoo fetch arbitrary resources from the internal network. Can be harmless, can be catastrophic depending on what's accessible from there

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hbrunn hbrunn hbrunn requested changes

@gurneyalex gurneyalex gurneyalex approved these changes

@cyrilmanuel cyrilmanuel cyrilmanuel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@imlopes @OCA-git-bot @gurneyalex @hbrunn @cyrilmanuel @gfcapalbo @oca-travis @TDu