[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12089 [BridgeDB]: BridgedDB can be forced to email arbitrary email addresses

Subject: Re: [tor-bugs] #12089 [BridgeDB]: BridgedDB can be forced to email arbitrary email addresses
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sat, 09 Aug 2014 22:43:55 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 09 Aug 2014 18:44:05 -0400
In-reply-to: <044.bd10f22c4b2b9a92399979ae3d051788@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <044.bd10f22c4b2b9a92399979ae3d051788@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#12089: BridgedDB can be forced to email arbitrary email addresses
--------------------------+--------------------------------------
     Reporter:  isis      |      Owner:  isis
         Type:  defect    |     Status:  reopened
     Priority:  critical  |  Milestone:
    Component:  BridgeDB  |    Version:
   Resolution:            |   Keywords:  bridgedb-email, security
Actual Points:            |  Parent ID:
       Points:            |
--------------------------+--------------------------------------

Comment (by trygve):

 Added patch to test_smtp.py to reproduce the issue described in this
 ticket. The test sends an email to bridgedb in which the 'MAIL FROM'
 address in the SMTP header differs from the 'From' address in the email.

 Note: The test assumes that bridgedb should detect this situation and not
 generate a response. At the time of writing, this test fails because a
 response is generated.

 Note: At the time of writing, test_smtp.has not yet been merged into the
 bridgedb master branch (currently in isis' repo)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12089#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #9874 [BridgeDB]: Research/design a way to automate testing of BridgeDB's HTTPS and email distributors
Next by Author: [tor-bugs] #12835 [- Select a component]: Ten Penile Cancer Symptoms - What To Look For And When To Get Help
Previous by thread: Re: [tor-bugs] #12089 [BridgeDB]: BridgedDB can be forced to email arbitrary email addresses
Next by thread: Re: [tor-bugs] #11393 [meek]: Make an HTTP requestor Chrome extension for meek-client
Index(es):
- Author
- Thread