1 files changed, 22 insertions, 5 deletions

diff --git a/genesungswuensche.go b/genesungswuensche.go
index 8347d43..d0a928b 100644
--- a/genesungswuensche.go
+++ b/genesungswuensche.go
@@ -529,6 +529,9 @@ func escapeHTML(s string) string {
 
 // indexHandler serves the main HTML page
 func (s *Server) indexHandler(w http.ResponseWriter, r *http.Request) {
+	fmt.Println(r.Header.Get("X-Forwarded-For"),
+		"authorized access from")
+
 	emails, err := s.parseMaildir()
 	if err != nil {
 		http.Error(w, "Error reading emails", http.StatusInternalServerError)
@@ -887,6 +890,11 @@ func (s *Server) markReadHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if strings.ContainsAny(req.Filename, "/") {
+		http.Error(w, "Invalid request", http.StatusBadRequest)
+		return
+	}
+
 	sourcePath := filepath.Join(s.maildirPath, "new", req.Filename)
 
 	if _, err := os.Stat(sourcePath); os.IsNotExist(err) {
@@ -907,7 +915,7 @@ func (s *Server) markReadHandler(w http.ResponseWriter, r *http.Request) {
 	destPath := filepath.Join(s.maildirPath, "cur", destFilename)
 
 	if err := os.Rename(sourcePath, destPath); err != nil {
-		log.Println("mark read error: ", err)
+		fmt.Println("mark read error: ", err)
 		w.Header().Set("Content-Type", "application/json")
 		json.NewEncoder(w).Encode(map[string]interface{}{
 			"success": false,
@@ -916,7 +924,10 @@ func (s *Server) markReadHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	log.Println("mark read success: ", sourcePath, "to", destPath)
+	fmt.Println(r.Header.Get("X-Forwarded-For"),
+		"mark read success from",
+		sourcePath, "to", destPath)
+
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(map[string]interface{}{
 		"success":     true,
@@ -940,6 +951,11 @@ func (s *Server) markUnreadHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if strings.ContainsAny(req.Filename, "/") {
+		http.Error(w, "Invalid request", http.StatusBadRequest)
+		return
+	}
+
 	sourcePath := filepath.Join(s.maildirPath, "cur", req.Filename)
 
 	if _, err := os.Stat(sourcePath); os.IsNotExist(err) {
@@ -968,7 +984,7 @@ func (s *Server) markUnreadHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err := os.Rename(sourcePath, destPath); err != nil {
-		log.Println("unread error: ", err)
+		fmt.Println("unread error: ", err)
 		w.Header().Set("Content-Type", "application/json")
 		json.NewEncoder(w).Encode(map[string]interface{}{
 			"success": false,
@@ -976,7 +992,9 @@ func (s *Server) markUnreadHandler(w http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
-	log.Println("unread success: ", sourcePath, "to", destPath)
+	fmt.Println(r.Header.Get("X-Forwarded-For"),
+		"unread success from",
+		sourcePath, "to", destPath)
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(map[string]interface{}{
@@ -995,7 +1013,6 @@ func auth(handler http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		log.Println("authorized access from", r.Header.Get("X-Forwarded-For"))
 		handler(w, r)
 	}
 }