FIX Security to restrict email sending was not efficient

build/debian/conf.php.install

@@ -222,7 +222,13 @@ $dolibarr_main_prod='0';
 # $dolibarr_main_limit_users='0';
 
 # dolibarr_mailing_limit_sendbyweb
-# Can set a limit for mailing send by web, can be used for a restricted mode.
+# Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
 # Default value: 0 (use database value if exist)
 # Examples:
 # $dolibarr_mailing_limit_sendbyweb='0';
+
+# dolibarr_mailing_limit_sendbycli
+# Can set a limit for mailing send by cli. This overwrite database value. Can be used to restrict on OS level.
+# Default value: 0 (use database value if exist)
+# Examples:
+# $dolibarr_mailing_limit_sendbycli='0';

htdocs/admin/system/constall.php

@@ -90,7 +90,8 @@ $configfileparameters=array(
                             '?dolibarr_font_DOL_DEFAULT_TTF_BOLD',
 							'separator',
 							'?dolibarr_mailing_limit_sendbyweb',
-							'?dolibarr_strict_mode'
+							'?dolibarr_mailing_limit_sendbycli',
+                            '?dolibarr_strict_mode'
 						);
 $configfilelib=array(
 //					'separator',

htdocs/admin/system/dolibarr.php

@@ -284,7 +284,8 @@ $configfileparameters=array(
 		'separator4' => '',
 		'dolibarr_main_prod' => 'Production mode (Hide all error messages)',
 		'?dolibarr_mailing_limit_sendbyweb' => 'Limit nb of email sent by page',
-		'?dolibarr_strict_mode' => 'Strict mode is on/off',
+		'?dolibarr_mailing_limit_sendbycli' => 'Limit nb of email sent by cli',
+        '?dolibarr_strict_mode' => 'Strict mode is on/off',
 		'?dolibarr_pdf_force_fpdf' => 'Force fpdf usage to generate PDF'
 );
 

htdocs/comm/mailing/card.php

@@ -761,6 +761,7 @@ else
 				$sendingmode=$conf->global->MAIN_MAIL_SENDMODE;
 				if (empty($sendingmode)) $sendingmode='mail';	// If not defined, we use php mail function
 
+				// Note: MAILING_LIMIT_SENDBYWEB is always defined to something != 0
 				if (! empty($conf->global->MAILING_NO_USING_PHPMAIL) && $sendingmode == 'mail')
 				{
 					// EMailing feature may be a spam problem, so when you host several users/instance, having this option may force each user to use their own SMTP agent.
@@ -772,19 +773,21 @@ else
 					if (! empty($conf->global->MAILING_SMTP_SETUP_EMAILS_FOR_QUESTIONS)) setEventMessages($langs->trans("MailSendSetupIs3", $conf->global->MAILING_SMTP_SETUP_EMAILS_FOR_QUESTIONS), null, 'warnings');
 					$_GET["action"]='';
 				}
-				else if (empty($conf->global->MAILING_LIMIT_SENDBYWEB))
+				else if ($conf->global->MAILING_LIMIT_SENDBYWEB == '-1')
 				{
-					// Pour des raisons de securite, on ne permet pas cette fonction via l'IHM,
-					// on affiche donc juste un message
+					// No limit was defined, so the feature is forbidden from GUI, we show just a message.
 					setEventMessages($langs->trans("MailingNeedCommand"), null, 'warnings');
 					setEventMessages('<textarea cols="60" rows="'.ROWS_1.'" wrap="soft">php ./scripts/emailings/mailing-send.php '.$object->id.'</textarea>', null, 'warnings');
-					setEventMessages($langs->trans("MailingNeedCommand2"), null, 'warnings');
+					if ($conf->file->mailing_limit_sendbyweb != '-1')
+					{
+					   setEventMessages($langs->trans("MailingNeedCommand2"), null, 'warnings');  // You can send online with constant...
+					}
 					$_GET["action"]='';
 				}
 				else
 				{
 					$text='';
-                    if ($conf->file->mailing_limit_sendbyweb == 0)
+					if ($conf->global->MAILING_LIMIT_SENDBYCLI >= 0)
                     {
                     	$text.=$langs->trans("MailingNeedCommand");
                     	$text.='<br><textarea cols="60" rows="'.ROWS_2.'" wrap="soft">php ./scripts/emailings/mailing-send.php '.$object->id.' '.$user->login.'</textarea>';

htdocs/conf/conf.php.example

@@ -262,9 +262,15 @@ $dolibarr_main_db_prefix='';
 // $dolibarr_main_limit_users='0';
 
 // dolibarr_mailing_limit_sendbyweb
-// Can set a limit for mailing send by web. Can be used for a restricted mode.
-// Default value: 0 (use database value if exist)
-// Examples:
+// Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
+// Default value: '0' (no overwrite, use database value if exists)
+// Examples: '-1' (sending by web is forbidden)
+// $dolibarr_mailing_limit_sendbyweb='0';
+
+// dolibarr_mailing_limit_sendbycli
+// Can set a limit for mailing send by cli. This overwrite database value. Can be used to restrict on OS level.
+// Default value: '0' (no overwrite, use database value if exists)
+// Examples: '-1' (sending by cli is forbidden)
 // $dolibarr_mailing_limit_sendbyweb='0';
 
 // dolibarr_strict_mode

htdocs/filefunc.inc.php

@@ -122,6 +122,7 @@ if (empty($dolibarr_main_db_encryption)) $dolibarr_main_db_encryption=0;
 if (empty($dolibarr_main_db_cryptkey)) $dolibarr_main_db_cryptkey='';
 if (empty($dolibarr_main_limit_users)) $dolibarr_main_limit_users=0;
 if (empty($dolibarr_mailing_limit_sendbyweb)) $dolibarr_mailing_limit_sendbyweb=0;
+if (empty($dolibarr_mailing_limit_sendbycli)) $dolibarr_mailing_limit_sendbycli=0;
 if (empty($dolibarr_strict_mode)) $dolibarr_strict_mode=0; // For debug in php strict mode
 // TODO Multicompany Remove this. Useless.
 if (empty($multicompany_transverse_mode)) $multicompany_transverse_mode=0;

htdocs/langs/en_US/mails.lang

@@ -116,9 +116,9 @@ SearchAMailing=Search mailing
 SendMailing=Send emailing
 SendMail=Send email
 SentBy=Sent by
-MailingNeedCommand=For security reason, sending an emailing is better when performed from command line. If you have one, ask your server administrator to launch the following command to send the emailing to all recipients:
+MailingNeedCommand=For security reason, sending an emailing must be performed from command line. Ask your server administrator to launch the following command to send the emailing to all recipients:
 MailingNeedCommand2=You can however send them online by adding parameter MAILING_LIMIT_SENDBYWEB with value of max number of emails you want to send by session. For this, go on Home - Setup - Other. 
-ConfirmSendingEmailing=If you can't or prefer sending them with your www browser, please confirm you are sure you want to send emailing now from your browser ?
+ConfirmSendingEmailing=If you want to send emailing directly from this screen, please confirm you are sure you want to send emailing now from your browser ?
 LimitSendingEmailing=Note: Sending of emailings from web interface is done in several times for security and timeout reasons, <b>%s</b> recipients at a time for each sending session.
 TargetsReset=Clear list
 ToClearAllRecipientsClickHere=Click here to clear the recipient list for this emailing

htdocs/master.inc.php

@@ -61,6 +61,7 @@ if (defined('TEST_DB_FORCE_TYPE')) $conf->db->type=constant('TEST_DB_FORCE_TYPE'
 // Set properties specific to conf file
 $conf->file->main_limit_users			= $dolibarr_main_limit_users;
 $conf->file->mailing_limit_sendbyweb	= $dolibarr_mailing_limit_sendbyweb;
+$conf->file->mailing_limit_sendbycli	= $dolibarr_mailing_limit_sendbycli;
 $conf->file->main_authentication		= empty($dolibarr_main_authentication)?'':$dolibarr_main_authentication;	// Identification mode
 $conf->file->main_force_https			= empty($dolibarr_main_force_https)?'':$dolibarr_main_force_https;			// Force https
 $conf->file->strict_mode 				= empty($dolibarr_strict_mode)?'':$dolibarr_strict_mode;					// Force php strict mode (for debug)
@@ -188,6 +189,18 @@ if (! empty($conf->file->mailing_limit_sendbyweb))
 {
 	$conf->global->MAILING_LIMIT_SENDBYWEB = $conf->file->mailing_limit_sendbyweb;
 }
+if (empty($conf->global->MAILING_LIMIT_SENDBYWEB))
+{
+    $conf->global->MAILING_LIMIT_SENDBYWEB = 25;
+}
+if (! empty($conf->file->mailing_limit_sendbycli))
+{
+    $conf->global->MAILING_LIMIT_SENDBYCLI = $conf->file->mailing_limit_sendbycli;
+}
+if (empty($conf->global->MAILING_LIMIT_SENDBYCLI))
+{
+    $conf->global->MAILING_LIMIT_SENDBYCLI = 0;
+}
 
 // If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed.
 if (! empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED))

scripts/emailings/mailing-send.php

@@ -61,6 +61,11 @@ $error=0;
 @set_time_limit(0);
 print "***** ".$script_file." (".$version.") pid=".dol_getmypid()." *****\n";
 
+if ($conf->global->MAILING_LIMIT_SENDBYCLI == '-1')
+{
+    
+}
+
 $user = new User($db);
 // for signature, we use user send as parameter
 if (! empty($login)) $user->fetch('',$login);
@@ -108,7 +113,11 @@ if ($resql)
 			$sql2 = "SELECT mc.rowid, mc.lastname as lastname, mc.firstname as firstname, mc.email, mc.other, mc.source_url, mc.source_id, mc.source_type, mc.tag";
 			$sql2.= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc";
 			$sql2.= " WHERE mc.statut < 1 AND mc.fk_mailing = ".$id;
-
+		    if ($conf->global->MAILING_LIMIT_SENDBYCLI > 0)
+		    {
+		        $sql2.= " LIMIT ".$conf->global->MAILING_LIMIT_SENDBYCLI;
+		    }
+				
 			$resql2=$db->query($sql2);
 			if ($resql2)
 			{