Defect #11946: Mailhandler reply security hole - Redmine

Actions

Copy link

Defect #11946

open

Mailhandler reply security hole

Added by Kevin Neuenfeldt over 11 years ago. Updated over 5 years ago.

Status:

New

Priority:

Normal

Assignee:

Category:

Email receiving

Target version:

Start date:

Due date:

% Done:

Estimated time:

Resolution:

Affected version:

2.1.0

Description

I don't know if this is the expected behavior but I recognized that it's possible to reply to an issue of another project than the one specified in the /etc/aliases file.
Assume I have an /etc/aliases file with a line like this one:
foo: "| /opt/redmine/extra/mail_handler/rdm-mailhandler.rb --url=http://localhost:8080 --key=XXXX --project=foo --unknown-user=ignore"

Now I send an email to foo@someurl.net with subject "Re:[#123]" and 123 is the id of an issue that is not part of project foo, anyway the email is not refused.

I would expect that this should not be possible because I limited that emailadress to project foo.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Redmine

Custom queries

Defect #11946

Mailhandler reply security hole

Updated by William Roush over 11 years ago

Updated by Jean-Philippe Lang over 11 years ago

Updated by Kevin Neuenfeldt over 11 years ago

Updated by Go MAEDA over 5 years ago