[Tickets #11376] Re: Itip auto-accept confirmation requests
bugs at horde.org
bugs at horde.org
Sat Aug 25 21:59:58 UTC 2012
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/11376
------------------------------------------------------------------------------
Ticket | 11376
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | Itip auto-accept confirmation requests
Queue | IMP
Version | Git master
Type | Enhancement
State | Assigned
Priority | 1. Low
Milestone |
Patch |
Owners | Horde Developers, Jan Schneider, Michael Rubinsky,
| Michael Slusarz
------------------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2012-08-25 15:59) wrote:
> What about making this a user controlled pref disabled by default
> and at least performing a check against the From header and the
> response's email field?
I was originally going to suggest to put this in mime_drivers.php and
make it a fully admin-based preference choice. But I could see how
some users would NOT want this as the default, even if an admin allows
it, so it does make sense as a vanilla pref. For security reasons,
this should be a locked preference that is set to no auto-accept by
default.
> IMO, it would be a low risk since the malicious user would need all
> of the event details, including the UID, right?
Sure. An attacker needs to at least know the information that an
event exists and the details of the event, so that rules out random
auto-sent e-mails from being a concern.
But within a user's group of contacts (especially if an event has many
potential attendees), this information is not difficult to obtain. So
it's not a tremendously difficult attack either.
More information about the bugs
mailing list