[Tickets #11376] Itip auto-accept confirmation requests
bugs at horde.org
bugs at horde.org
Sat Aug 25 03:48:36 UTC 2012
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/11376
------------------------------------------------------------------------------
Ticket | 11376
Created By | Michael Slusarz <slusarz at horde.org>
Summary | Itip auto-accept confirmation requests
Queue | IMP
Version | Git master
Type | Enhancement
State | Assigned
Priority | 1. Low
Milestone |
Patch |
Owners | Horde Developers, Jan Schneider, Michael Rubinsky,
| Michael Slusarz
------------------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2012-08-24 21:48) wrote:
A client would like to see auto-updating of the local calendar when a
confirmation itip message is received (and read) by the user.
Apparently, Gmail does this.
I am not comfortable with this because this is the classic "triggering
an action via unauthenticated data" problem. The concern is that
because anybody can send a message accepting (if they have the
original invite data), there is no guarantee it is from the user you
originally sent the invite to.
Example: I send an invitation to foo at example.com. However,
bar at example.com sends back an acceptance for foo at example.com. This is
a case where I know something is up/screwy, so I won't accept that
invitation and update foo at example.com's status. Granted,
bar at example.com will probably cover his tracks better (e.g. forging
the from address), but this still shows the problem with auto-accepting.
What do people think about this?
More information about the bugs
mailing list