Escape argument for rmalias

.gitignore

@@ -5,5 +5,5 @@ config.py
 users/
 sys
 *~
-#*
+*#*
 .*

views/#mymailbox.py#

@@ -1,132 +0,0 @@
-from flask import Blueprint, Flask, request, flash, render_template, url_for, session, redirect, abort, make_response, send_file, flash, abort, send_from_directory
-from werkzeug.utils import secure_filename
-from PIL import Image
-from markupsafe import escape
-import time
-import sqlite3
-import os
-from shutil import copy
-from socket import gethostname
-from tools.utils import email_disp, append_to_log, gen_token, valid_passwd, login_required
-
-
-
-mymailbox = Blueprint('mymailbox', __name__, template_folder='templates')
-
-app = Flask( 'pywallter' )
-app.config.from_pyfile('config.py')
-
-
-#### Variables ####################################################################################
-DOSSIER_PERSO = app.config['DOSSIER_APP']
-
-extensionimg = app.config['EXT_IMG']
-
-DATABASE = app.config['DATABASE']
-DATAS_USER = app.config['DOSSIER_APP']
-MAIL_SERVER = app.config['MAIL_SERVER']
-XMPP_SERVER = app.config['XMPP_SERVER']
-SETUID = app.config['SETUID']
-BASE_URL = app.config['BASE_URL']
-BACKUP_TIME = app.config['BACKUP_TIME']
-
-##################################################################################################
-
-
-        
-@mymailbox.route('/mymailbox/alias', methods=['GET', 'POST'] )
-@login_required
-def myalias():
-    hostname=gethostname()
-    UTILISATEUR='%s' % escape(session['username'])
-    conn = sqlite3.connect(DATABASE) # Connexion à la base de donnée
-    cursor = conn.cursor() # Création de l'objet "curseur"
-    if request.method == 'POST' and MAIL_SERVER:
-        if request.form['alias']:
-            alias = request.form['alias'].lower()+'@'+hostname
-        else:
-            flash(u'Addresse invalide')
-
-        if email_disp(alias):
-            cursor.execute("""SELECT Mail, alias FROM users where name=?""", (UTILISATEUR,))
-            tmp = cursor.fetchone()
-            mail = tmp[0]
-            if tmp[1]:
-               alias_list = tmp[1]
-               aliases = alias_list + "," +alias
-            else:
-               aliases = alias
-            cmd = SETUID+ " set_mail_alias " + "'"+mail+"'"+" add "+"'"+alias+"'"
-            res = os.system(cmd)
-            if res == 0:
-               cursor.execute("UPDATE users SET alias=? WHERE name=?",
-                              (aliases, UTILISATEUR))
-               conn.commit()
-               TIME=time.strftime("%A %d %B %Y %H:%M:%S")
-               IP=request.environ['REMOTE_ADDR']
-               CLIENT_PLATFORM=request.headers.get('User-Agent')
-
-               log=TIME + ' - ' + IP + ' - ' + UTILISATEUR + ' - ' + CLIENT_PLATFORM + '\n' + '---> ' + "Ajout de l'alias "+ alias  + '\n'
-               append_to_log(log, UTILISATEUR)
-               flash(u'Votre alias a été ajouté', 'succes')
-            else:
-                flash(u'Adresse indisponible', 'error')
-        else:
-            flash(u'Adresse indisponible', 'error')
-
-    cursor.execute("""SELECT Mail, alias FROM users WHERE name=?""",
-                   (UTILISATEUR,))
-    tmp = cursor.fetchone()
-    mailbox = dict()
-    mailbox['Mail'] = tmp[0]
-    if tmp[1]:
-        mailbox['alias'] = tmp[1].split(',')
-    else:
-        mailbox['alias'] = list()
-
-    conn.close()
-    return render_template('myalias.html',
-                           section="mailbox",
-                           email=mailbox['Mail'],
-                           aliases=mailbox['alias'],
-                           hostname=hostname,
-                           MAIL_SERVER=MAIL_SERVER,
-                             username=UTILISATEUR )
-
-
-@mymailbox.route('/mymailbox/rmalias/<aliasrm>')
-@login_required
-def remove_alias(aliasrm):
-    aliasrm = escape(aliasrm)
-    if MAIL_SERVER:
-        UTILISATEUR='%s' % escape(session['username'])
-        conn = sqlite3.connect(DATABASE) # Connexion à la base de donnée
-        cursor = conn.cursor() # Création de l'objet "curseur"
-        cursor.execute("""SELECT Mail, alias FROM users WHERE name=?""", (UTILISATEUR,))
-        tmp = cursor.fetchone()
-        mail = tmp[0]
-        alias_list = tmp[1].split(',')
-        aliases = ""
-        for alias in alias_list:
-            if alias != aliasrm:
-                if aliases:
-                    aliases = aliases + "," + alias
-                else:
-                    aliases = alias
-        cmd = SETUID + " set_mail_alias " + "'"+mail+"'"+" del "+"'"+alias+"'"
-        res = os.system(cmd)
-        if res == 0:
-            cursor.execute("UPDATE users SET alias=? WHERE name=?",
-                           (aliases, UTILISATEUR))
-            conn.commit()
-            TIME=time.strftime("%A %d %B %Y %H:%M:%S")
-            IP=request.environ['REMOTE_ADDR']
-            CLIENT_PLATFORM=request.headers.get('User-Agent')
-            log = TIME + ' - ' + IP + ' - ' + UTILISATEUR + ' - ' + CLIENT_PLATFORM + '\n' + '---> ' + "Suppression de l'alias "+ alias  + '\n'
-            append_to_log(log, UTILISATEUR)
-            flash(u'Votre alias a été supprimé', 'succes')
-        else:
-            flash(u'Il y a eu une erreur', 'error')
-
-    return redirect(url_for('mymailbox.myalias', _external=True))
-

views/mymailbox.py

@@ -97,6 +97,7 @@ def myalias():
 @mymailbox.route('/mymailbox/rmalias/<aliasrm>')
 @login_required
 def remove_alias(aliasrm):
+    aliasrm = escape(aliasrm)
     if MAIL_SERVER:
         UTILISATEUR='%s' % escape(session['username'])
         conn = sqlite3.connect(DATABASE) # Connexion à la base de donnée