Vote #72555
未完了Mailhandler reply security hole
0%
説明
I don't know if this is the expected behavior but I recognized that it's possible to reply to an issue of another project than the one specified in the /etc/aliases file.
Assume I have an /etc/aliases file with a line like this one:
foo: "| /opt/redmine/extra/mail_handler/rdm-mailhandler.rb --url=http://localhost:8080 --key=XXXX --project=foo --unknown-user=ignore"
Now I send an email to foo@someurl.net with subject "Re:[#123]" and 123 is the id of an issue that is not part of project foo, anyway the email is not refused.
I would expect that this should not be possible because I limited that emailadress to project foo.
journals
This would need to be a flag in the command line I would think: there are many of us that have project set as a _default_ box, but are still listening to system-wide replies on this e-mail address.
--------------------------------------------------------------------------------
Indeed. The @--project@ option is for setting the default project for new issues, not to restrict the replies to a given project.
--------------------------------------------------------------------------------
As far as I know there is no option _--issue_ yet, even in the new redmine 2.1.0.
Is there any need so I could make a request for a future release?
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------