Contributors mailing list archives

contributors@odoo-community.org

Broken design in public mail threads

by Yajo <yajo.sk8@gmail.com> - 29/03/2016 08:23:51
Hi there community!

Recently I found a bug that, commercially-speaking, I'd say it's a security bug.

You can read it here: https://github.com/odoo/odoo/issues/11376

When anybody subscribes to any public mailing thread, he can write to it. When it comes from a website-related part, it means that you can subscribe to a blog/slide, wait for a mail to come, and then answer to it to make your answer get delivered to any other subscribers out there.

If you belong to a competitor company, you could abuse that to send spam or publicize your company.

Since this is a by-design bug, that comes from the mail thread design in the pre-website era, I'm not sure how this could be fixed, but I'd like to hear suggestions.