[Tickets #4517] Re: Linked attachment notification recipient error

bugs at bugs.horde.org bugs at bugs.horde.org
Thu Oct 4 12:21:48 UTC 2007 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=4517
-----------------------------------------------------------------------
 Ticket             | 4517
 Updated By         | tuomas.silen at nodeta.fi
 Summary            | Linked attachment notification recipient error
 Queue              | IMP
 Version            | 4.1.3
 Type               | Bug
 State              | No Feedback
 Priority           | 2. Medium
 Owners             | 
-----------------------------------------------------------------------


tuomas.silen at nodeta.fi (2007-10-04 05:21) wrote:

I believe this is the same issue i have encountered, so i request this
ticket to be re-opened. The issue exists in versions 4.1.4 and 4.1.5 as
well.

The problem is that when the notification is sent the mail address
is fetched with horde's Identity->getDefaultFromAdress() function:

attachment.php, around line 90:
$mail_address = $mail_identity->getDefaultFromAddress();

Now, this works perfectly fine when the user who sent the email actually
has 
a from-address saved to default identity, but when it's empty we run into
problems.

It's quite common that there's no from address in default identity when
for example the username is the same as the email address that is used and
so ie. compose-page is able to parse it from there already.

When the one downloading the link is not logged in to horde (ie. is an
outside user reading the email somewhere else) this leads to the fact that
the notifications are sent to addresses like 
 'Firstname Lastname <"\"\""@hordes_domain.tld>' 
and they get bounced to mailer-daemon.

So if you're the postmaster you will get quite annoyed by all those
notifications and that's why actually started to debug this issue.

It looks like there was an attempt to fix this in 4.1.4 and 4.1.5, i
haven't tested if it works, but i doubt it, because at least in my case the
returned address is not just <> but <"\"\""@hordes_domain.tld>.


The bigger problem, actually a small security issue, happens when the
first one downloading the link does it through the same horde/imp-system.

This is because when the form-address in the default identity is empty,
getDefaultFromAddress() does this:
        if (empty($addr)) {
            $addr = Auth::getAuth();
        }

As the result, the address of the user downloading the link is returned
and the notification is sent there allowing this user to permanently
delete the linked attachment.

My suggestion is that when the from-address in default identity is empty,
the email address should be constructed from the username (which we get
from the link) or the username and the default domain (if there's no @ in
username). As the username is also used to get the attachment's name, and
attachment's existence is checked before, i don't see any risk in doing
so.

More information about the bugs mailing list