16.0 - Migration mail_embed_image #1402
Conversation
| ).decode("utf-8") | ||
| image_content = response.content | ||
| filepart = MIMEImage(image_content) | ||
| filepart.add_header("Content-ID", f"<{cid}>") |
There was a problem hiding this comment.
ask : shall not be the cid.encode("utf-8") ?
imlopes
force-pushed
the
16.0-mig-mail_embed_image
branch
from
b7b8a38 to
8fcc1b9
Compare
|
This PR has the |
| src = img.get("src") | ||
| if src and not src.startswith("data:") and not src.startswith("base64:"): | ||
| try: | ||
| response = requests.get(src, timeout=10) |
There was a problem hiding this comment.
the reason the original did the fetching in a somewhat roundabout way is that what you do here allows malicious users to craft emails to themselves and have Odoo fetch arbitrary resources from the internal network. Can be harmless, can be catastrophic depending on what's accessible from there
There was a problem hiding this comment.
May be harmless or catastrophic...
Yes, probably.
Is functionally really expected, yes too.
Thanks @imlopes for this code.
There was a problem hiding this comment.
well as it is I really don't think it should be published.
But what was the problem? Currently you'd call https://github.com/OCA/OCB/blob/16.0/odoo/addons/base/models/ir_http.py#L95 which relieves you from constructing the routing map yourself, and you only need to create a dummy request bound to the public user in a pretty similar way the v10 version does it
|
superseeded by #1499 |
|
Thanks a lot @StephaneMangin 🫶 |
No description provided.