Contributors mailing list archives

contributors@odoo-community.org

Re: Broken design in public mail threads

by
Camptocamp France SAS, Alexandre Fayolle
- 04/04/2016 06:49:11
On 29/03/2016 10:38, Yajo wrote:
> Hi there community!
> 
> Recently I found a bug that, commercially-speaking, I'd say it's a
> security bug.
> 
> You can read it here: https://github.com/odoo/odoo/issues/11376
> 
> When anybody subscribes to any public mailing thread, he can write to
> it. When it comes from a website-related part, it means that you can
> subscribe to a blog/slide, wait for a mail to come, and then answer to
> it to make your answer get delivered to any other subscribers out there.
> 
> If you belong to a competitor company, you could abuse that to send spam
> or publicize your company.
> 
> Since this is a by-design bug, that comes from the mail thread design in
> the pre-website era, I'm not sure how this could be fixed, but I'd like
> to hear suggestions.


This is really bad and as you say, the root cause makes it really
widespread and hard to hunt. We have similar issues with other mailing
lists on the OCA website...


-- 
Alexandre Fayolle
Chef de Projet
Tel : +33 4 58 48 20 30

Camptocamp France SAS
Savoie Technolac, BP 352
73377 Le Bourget du Lac Cedex
http://www.camptocamp.com