Merge branch 'main' into dependabot/pip/cryptography-45.0.5

Author: GitTimeraider

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11-slim
+FROM python:3.13-slim
 
 # Default UID and GID (can be overridden)
 ARG USER_UID=1000

README.md

@@ -1,7 +1,7 @@
 # DirectAdmin Email Forwarder Manager
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Python 3.11](https://img.shields.io/badge/python-3.11-blue.svg)](https://www.python.org/downloads/)
+[![Python 3.11](https://img.shields.io/badge/python-3.13-blue.svg)](https://www.python.org/downloads/)
 
 A Dockerized secure web application for managing email forwarders through the DirectAdmin API. Features a clean web interface with authentication, 2FA support, user management options.
 

app/auth.py

@@ -6,7 +6,7 @@
 import io
 import base64
 from datetime import datetime
-
+from urllib.parse import urlparse
 auth_bp = Blueprint('auth', __name__)
 
 @auth_bp.route('/login', methods=['GET', 'POST'])
@@ -32,7 +32,11 @@ def login():
                     login_user(user)
 
                     next_page = request.args.get('next')
-                    return redirect(next_page) if next_page else redirect(url_for('index'))
+                    if next_page:
+                        safe_next = next_page.replace('\\', '')
+                        if not urlparse(safe_next).netloc and not urlparse(safe_next).scheme:
+                            return redirect(safe_next)
+                    return redirect(url_for('index'))
                 else:
                     flash('Invalid 2FA code', 'error')
                     # Show 2FA form again with username preserved
@@ -54,7 +58,11 @@ def login():
                     login_user(user)
 
                     next_page = request.args.get('next')
-                    return redirect(next_page) if next_page else redirect(url_for('index'))
+                    if next_page:
+                        safe_next = next_page.replace('\\', '')
+                        if not urlparse(safe_next).netloc and not urlparse(safe_next).scheme:
+                            return redirect(safe_next)
+                    return redirect(url_for('index'))
             else:
                 flash('Invalid username or password', 'error')
 

app/directadmin_api.py

@@ -167,7 +167,10 @@ def test_connection(self):
             return False, "Failed to connect. Please check your credentials."
 
         except Exception as e:
-            return False, f"Connection error: {str(e)}"
+            import traceback
+            print(f"Connection error: {str(e)}")
+            traceback.print_exc()
+            return False, "Connection error: Unable to connect to DirectAdmin."
 
     def get_email_accounts(self):
         """Get all email accounts for the domain"""
@@ -439,7 +442,7 @@ def create_forwarder(self, address, destination):
             print(f"Error creating forwarder: {e}")
             import traceback
             traceback.print_exc()
-            return False, str(e)
+            return False, "An error occurred while creating the forwarder"
 
     def delete_forwarder(self, address):
         """Delete an email forwarder"""
@@ -492,7 +495,7 @@ def delete_forwarder(self, address):
 
         except Exception as e:
             print(f"Error deleting forwarder: {e}")
-            return False, str(e)
+            return False, "An error occurred while deleting the forwarder"
 
     def validate_email(self, email):
         """Basic email validation"""

app/main.py

@@ -93,7 +93,6 @@ def get_email_accounts():
             traceback.print_exc()
             return jsonify({
                 'error': 'Failed to fetch email accounts',
-                'details': str(e),
                 'accounts': []
             }), 500
 
@@ -135,7 +134,6 @@ def get_forwarders():
             traceback.print_exc()
             return jsonify({
                 'error': 'Failed to fetch forwarders',
-                'details': str(e),
                 'forwarders': []
             }), 500
 
@@ -180,15 +178,14 @@ def create_forwarder():
                 })
             else:
                 return jsonify({
-                    'error': message
+                    'error': 'Failed to create forwarder'
                 }), 400
 
         except Exception as e:
             print(f"Error creating forwarder: {str(e)}")
             traceback.print_exc()
             return jsonify({
-                'error': 'Failed to create forwarder',
-                'details': str(e)
+                'error': 'Failed to create forwarder'
             }), 500
 
     @app.route('/api/forwarders', methods=['DELETE'])
@@ -234,8 +231,7 @@ def delete_forwarder():
             print(f"Error deleting forwarder: {str(e)}")
             traceback.print_exc()
             return jsonify({
-                'error': 'Failed to delete forwarder',
-                'details': str(e)
+                'error': 'Failed to delete forwarder'
             }), 500
 
     # ===== Error Handlers =====
@@ -360,4 +356,4 @@ def create_admin():
 app = create_app()
 
 if __name__ == '__main__':
-    app.run(host='0.0.0.0', port=5000, debug=True)
+    app.run(host='0.0.0.0', port=5000)

app/settings.py

@@ -25,7 +25,8 @@ def get_da_config():
         })
     except Exception as e:
         print(f"Error in GET da-config: {e}")
-        return jsonify({'error': str(e)}), 500
+        print(traceback.format_exc())
+        return jsonify({'error': 'An internal error has occurred. Please try again later.'}), 500
 
 @settings_bp.route('/api/da-config', methods=['POST'])
 @login_required
@@ -86,7 +87,7 @@ def update_da_config():
         print(f"Error in POST da-config: {str(e)}")
         print(traceback.format_exc())
         db.session.rollback()
-        return jsonify({'error': str(e)}), 500
+        return jsonify({'error': 'An internal error has occurred. Please try again later.'}), 500
 
 # Keep test-connection separate
 @settings_bp.route('/api/test-connection', methods=['POST'])
@@ -119,7 +120,8 @@ def test_connection():
 
     except Exception as e:
         print(f"Test connection error: {str(e)}")
-        return jsonify({'error': str(e), 'success': False}), 200
+        print(traceback.format_exc())
+        return jsonify({'error': 'An internal error has occurred.', 'success': False}), 200
 
 # Debug route to check available routes
 @settings_bp.route('/api/debug-routes', methods=['GET'])

requirements.txt

@@ -1,10 +1,10 @@
-Flask==2.3.2
+Flask==3.1.1
 Flask-SQLAlchemy==3.1.1
 Flask-Login==0.6.3
-Werkzeug==2.3.6
+Werkzeug==3.1.3
 gunicorn==23.0.0
 pyotp==2.9.0
 qrcode==8.2
 pillow==11.3.0
 requests==2.32.4
-cryptography==45.0.5
+cryptography==45.0.5