indico icon indicating copy to clipboard operation
indico copied to clipboard

Published 20 hours ago verified publisher icon indico

Avoid spoofing email senders

Open SegiNyn opened this issue 1 year ago • 3 comments
trafficstars

SegiNyn avatar Mar 14 '24 13:03 SegiNyn

Is it really necessary to change the APIs internally? At least what I had in mind was simply changing the logic in the emails module to determine how to use From and Reply-to and only changing the form label in the various other places...

~~Also, I think we agreed to "name via Indico" <noreply...> in the From, and not using the site title in a very generic way..~~ Nevermind, that was just an early return where I saw that.

ThiefMaster avatar Mar 15 '24 16:03 ThiefMaster

Is it really necessary to change the APIs internally? At least what I had in mind was simply changing the logic in the emails module to determine how to use From and Reply-to and only changing the form label in the various other places...

I saw that you already had a function _rewrite_sender that makes changes to the From address that's why I removed that and added a new function. And I thought it was better to make the changes before creating the EmailMessage. Also, to be sure where in the emails module did you have in mind? do_send_email?

SegiNyn avatar Mar 15 '24 19:03 SegiNyn

The changes to the names to sender_address instead of from_address isn't actually necessary but it makes it obvious to developers as well not just the users as is the case if only the label is changed.

SegiNyn avatar Mar 15 '24 19:03 SegiNyn

Just FYI, I plan to merge this end of next week, shortly before we're going to put this in production at CERN.

ThiefMaster avatar Nov 07 '24 10:11 ThiefMaster