6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
8/18/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#11376] Itip auto-accept requests
*
Your Email Address
*
Spam protection
Enter the letters below:
. .. ..___..___.. , |\/||__| | | \./ | || | | | |
Comment
>> What about making this a user controlled pref disabled by default and >> at least performing a check against the From header and the >> response's email field? > > I was originally going to suggest to put this in mime_drivers.php and > make it a fully admin-based preference choice. But I could see how > some users would NOT want this as the default, even if an admin > allows it, so it does make sense as a vanilla pref. For security > reasons, this should be a locked preference that is set to no > auto-accept by default. > >> IMO, it would be a low risk since the >> malicious user would need all of the event details, including the >> UID, right? > > Sure. An attacker needs to at least know the information that an > event exists and the details of the event, so that rules out random > auto-sent e-mails from being a concern. > > But within a user's group of contacts (especially if an event has > many potential attendees), this information is not difficult to > obtain. So it's not a tremendously difficult attack either.
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers