mirror of
https://github.com/knadh/listmonk.git
synced 2025-12-05 16:00:03 +01:00
4b805f885b
This permission was never checked for and had an unintended consequence of allowing a non-superadmin user to execute arbitrary queries (expected), but getting a superadmin session by joining the `sessions` table. This patch: - Introduces a table allowlist that uses the Postgres query plan (JSON) and validate the referenced tables against the allowed ones on arbitrary queries issued to the various `/subscribers` APIs. - Explicitly adds the missing `subscribers:sql_query` permission check to all handlers that accept `query`. - Introduces a new `search` parameter on all handlers that accept `query`. This parameter is an interface over the default name/email substring search instead of relying on `query`.
listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ 12) database as its data store.
Visit listmonk.app for more info. Check out the live demo.
Installation
Docker
The latest image is available on DockerHub at listmonk/listmonk:latest.
Download and use the sample docker-compose.yml.
# Download the compose file to the current directory.
curl -LO https://github.com/knadh/listmonk/raw/master/docker-compose.yml
# Run the services in the background.
docker compose up -d
Visit http://localhost:9000
Binary
- Download the latest release and extract the listmonk binary.
./listmonk --new-configto generate config.toml. Edit it../listmonk --installto setup the Postgres DB (or--upgradeto upgrade an existing DB. Upgrades are idempotent and running them multiple times have no side effects).- Run
./listmonkand visithttp://localhost:9000
Developers
listmonk is free and open source software licensed under AGPLv3. If you are interested in contributing, refer to the developer setup. The backend is written in Go and the frontend is Vue with Buefy for UI.
License
listmonk is licensed under the AGPL v3 license.