feat: Portal, Email Inbound, Discuss + module improvements

- Portal: /my/* routes, signup, password reset, portal user support - Email Inbound: IMAP polling (go-imap/v2), thread matching - Discuss: mail.channel, long-polling bus, DM, unread count - Cron: ir.cron runner (goroutine scheduler) - Bank Import, CSV/Excel Import - Automation (ir.actions.server) - Fetchmail service - HR Payroll model - Various fixes across account, sale, stock, purchase, crm, hr, project Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 18:41:57 +02:00
parent 2c7c1e6c88
commit 66383adf06
87 changed files with 14696 additions and 654 deletions
--- a/pkg/tools/email.go
+++ b/pkg/tools/email.go
@@ -1,6 +1,7 @@
 package tools

 import (
+	"crypto/rand"
 	"encoding/base64"
 	"fmt"
 	"log"
@@ -64,8 +65,12 @@ func SendEmail(cfg *SMTPConfig, to, subject, body string) error {
 		return nil
 	}

+	// Sanitize headers to prevent injection via \r\n
+	sanitize := func(s string) string {
+		return strings.NewReplacer("\r", "", "\n", "").Replace(s)
+	}
 	msg := fmt.Sprintf("From: %s\r\nTo: %s\r\nSubject: %s\r\nMIME-Version: 1.0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n%s",
-		cfg.From, to, subject, body)
+		sanitize(cfg.From), sanitize(to), sanitize(subject), body)

 	auth := smtp.PlainAuth("", cfg.User, cfg.Password, cfg.Host)
 	addr := fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)
@@ -83,12 +88,17 @@ func SendEmailWithAttachments(cfg *SMTPConfig, to []string, subject, bodyHTML st
 	}

 	addr := fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)
-	boundary := "==odoo-go-boundary-42=="
+	b := make([]byte, 16)
+	rand.Read(b)
+	boundary := fmt.Sprintf("==odoo-go-%x==", b)

+	sanitize := func(s string) string {
+		return strings.NewReplacer("\r", "", "\n", "").Replace(s)
+	}
 	var msg strings.Builder
-	msg.WriteString(fmt.Sprintf("From: %s\r\n", cfg.From))
-	msg.WriteString(fmt.Sprintf("To: %s\r\n", strings.Join(to, ", ")))
-	msg.WriteString(fmt.Sprintf("Subject: %s\r\n", subject))
+	msg.WriteString(fmt.Sprintf("From: %s\r\n", sanitize(cfg.From)))
+	msg.WriteString(fmt.Sprintf("To: %s\r\n", sanitize(strings.Join(to, ", "))))
+	msg.WriteString(fmt.Sprintf("Subject: %s\r\n", sanitize(subject)))
 	msg.WriteString("MIME-Version: 1.0\r\n")

 	if len(attachments) > 0 {