6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
10/17/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#4517] Linked attachment notification recipient error
*
Your Email Address
*
Spam protection
Enter the letters below:
.__.. ,. ..__.. | | \./ | || || |__| | |/\||__||___
Comment
> I believe this is the same issue i have encountered, so i request > this ticket to be re-opened. The issue exists in versions 4.1.4 and > 4.1.5 as well. > > > > The problem is that when the notification is sent the mail address > > is fetched with horde's Identity->getDefaultFromAdress() function: > > > > attachment.php, around line 90: > > $mail_address = $mail_identity->getDefaultFromAddress(); > > > > Now, this works perfectly fine when the user who sent the email actually has > > a from-address saved to default identity, but when it's empty we run > into problems. > > > > It's quite common that there's no from address in default identity > when for example the username is the same as the email address that > is used and so ie. compose-page is able to parse it from there > already. > > > > When the one downloading the link is not logged in to horde (ie. is > an outside user reading the email somewhere else) this leads to the > fact that the notifications are sent to addresses like > > 'Firstname Lastname <"\"\""@hordes_domain.tld>' > > and they get bounced to mailer-daemon. > > > > So if you're the postmaster you will get quite annoyed by all those > notifications and that's why actually started to debug this issue. > > > > It looks like there was an attempt to fix this in 4.1.4 and 4.1.5, i > haven't tested if it works, but i doubt it, because at least in my > case the returned address is not just <> but > <"\"\""@hordes_domain.tld>. > > > > > > The bigger problem, actually a small security issue, happens when the > first one downloading the link does it through the same > horde/imp-system. > > > > This is because when the form-address in the default identity is > empty, getDefaultFromAddress() does this: > > if (empty($addr)) { > > $addr = Auth::getAuth(); > > } > > > > As the result, the address of the user downloading the link is returned > > and the notification is sent there allowing this user to permanently > > delete the linked attachment. > > > > My suggestion is that when the from-address in default identity is > empty, the email address should be constructed from the username > (which we get from the link) or the username and the default domain > (if there's no @ in username). As the username is also used to get > the attachment's name, and attachment's existence is checked before, > i don't see any risk in doing so. > > > >
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers