fixes #2677: secure way of sharing dmails

2016-12-05 16:20:25 -08:00
parent b68ded2796
commit bfa1ac63a4
2 changed files with 6 additions and 4 deletions
--- a/app/models/dmail.rb
+++ b/app/models/dmail.rb
@@ -86,7 +86,7 @@ class Dmail < ActiveRecord::Base
    end
    
    def method_attributes
-      super + [:hash]
+      super + [:key]
    end
  end
  
@@ -222,12 +222,13 @@ class Dmail < ActiveRecord::Base
    end
  end
  
-  def hash
-    Digest::SHA1.hexdigest("#{title} #{body}")
+  def key
+    digest = OpenSSL::Digest.new("sha256")
+    OpenSSL::HMAC.hexdigest(digest, Danbooru.config.email_key, "#{title} #{body}")
  end
  
  def visible_to?(user, key)
-    owner_id == user.id || (user.is_moderator? && key == self.hash)
+    owner_id == user.id || (user.is_moderator? && key == self.key)
  end

 end
--- a/app/views/dmails/show.html.erb
+++ b/app/views/dmails/show.html.erb
@@ -22,6 +22,7 @@
        <%= link_to "Respond", new_dmail_path(:respond_to_id => @dmail) %>
        | <%= link_to "Forward", new_dmail_path(:respond_to_id => @dmail, :forward => true) %>
        | <%= link_to "Filter messages like these", edit_maintenance_user_dmail_filter_path(:dmail_id => @dmail.id) %>
+        | <%= link_to "Permalink", dmail_path(@dmail, :key => @dmail.key), :title => "Use this URL to privately share with a moderator" %>
      </p>
    </div>
  </div>