Defect #11946

Mailhandler reply security hole

Added by Kevin Neuenfeldt about 10 years ago. Updated about 4 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Email receiving
Target version:-
Resolution: Affected version:2.1.0

Description

I don't know if this is the expected behavior but I recognized that it's possible to reply to an issue of another project than the one specified in the /etc/aliases file.
Assume I have an /etc/aliases file with a line like this one:
foo: "| /opt/redmine/extra/mail_handler/rdm-mailhandler.rb --url=http://localhost:8080 --key=XXXX --project=foo --unknown-user=ignore"

Now I send an email to with subject "Re:[#123]" and 123 is the id of an issue that is not part of project foo, anyway the email is not refused.

I would expect that this should not be possible because I limited that emailadress to project foo.

History

#1 Updated by William Roush about 10 years ago

This would need to be a flag in the command line I would think: there are many of us that have project set as a default box, but are still listening to system-wide replies on this e-mail address.

#2 Updated by Jean-Philippe Lang about 10 years ago

Indeed. The --project option is for setting the default project for new issues, not to restrict the replies to a given project.

#3 Updated by Kevin Neuenfeldt about 10 years ago

As far as I know there is no option --issue yet, even in the new redmine 2.1.0.
Is there any need so I could make a request for a future release?

#4 Updated by Go MAEDA about 4 years ago

  • Category changed from Importers to Email receiving

Also available in: Atom PDF