Skip to content

Avoid spoofing email senders #6231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ThiefMaster merged 6 commits into from
Nov 18, 2024
Merged

Avoid spoofing email senders #6231

ThiefMaster merged 6 commits into from
Nov 18, 2024

Conversation

@SegiNyn
Copy link
Contributor

@SegiNyn SegiNyn commented Mar 14, 2024

No description provided.

@SegiNyn SegiNyn changed the title Send emails from only allowed senders and replace From with Sender in Forms Send emails only from allowed senders and replace From with Sender in Forms Mar 14, 2024
@SegiNyn SegiNyn mentioned this pull request Mar 14, 2024
Closed
@ThiefMaster
Copy link
Member

ThiefMaster commented Mar 15, 2024
edited
Loading

Is it really necessary to change the APIs internally? At least what I had in mind was simply changing the logic in the emails module to determine how to use From and Reply-to and only changing the form label in the various other places...

Also, I think we agreed to "name via Indico" <noreply...> in the From, and not using the site title in a very generic way.. Nevermind, that was just an early return where I saw that.

@SegiNyn
Copy link
Contributor Author

SegiNyn commented Mar 15, 2024

Is it really necessary to change the APIs internally? At least what I had in mind was simply changing the logic in the emails module to determine how to use From and Reply-to and only changing the form label in the various other places...

I saw that you already had a function _rewrite_sender that makes changes to the From address that's why I removed that and added a new function. And I thought it was better to make the changes before creating the EmailMessage. Also, to be sure where in the emails module did you have in mind? do_send_email?

@SegiNyn
Copy link
Contributor Author

SegiNyn commented Mar 15, 2024

The changes to the names to sender_address instead of from_address isn't actually necessary but it makes it obvious to developers as well not just the users as is the case if only the label is changed.

@SegiNyn SegiNyn force-pushed the add-email-sender branch from 2a774f7 to 1efc951 Compare May 29, 2024 12:15
ThiefMaster
ThiefMaster reviewed Jun 6, 2024
View reviewed changes
@ThiefMaster ThiefMaster changed the title Send emails only from allowed senders and replace From with Sender in Forms Avoid spoofing email senders Oct 1, 2024
ThiefMaster
ThiefMaster reviewed Oct 2, 2024
View reviewed changes
@ThiefMaster ThiefMaster requested a review from tomasr8 October 2, 2024 09:07
tomasr8
tomasr8 reviewed Oct 2, 2024
View reviewed changes
@ThiefMaster
Copy link
Member

ThiefMaster commented Nov 7, 2024

Just FYI, I plan to merge this end of next week, shortly before we're going to put this in production at CERN.

@ThiefMaster ThiefMaster added this to the v3.3 milestone Nov 7, 2024
SegiNyn and others added 5 commits November 18, 2024 11:28
@SegiNyn @ThiefMaster
Send emails from only allowed senders and replace From with Sender in…
32c7d80 
… forms
@ThiefMaster
Fix broken test that never got executed
fdc4b26
@ThiefMaster
Use documented API for parsing address
58f31fc
@ThiefMaster
Various improvements
faa846a 
- prefer putting the email in the name part instead of just indico in
  cases where no name is available
- avoid storing full emails with names in the database; instead lookup
  the name when the email address is used for sending an email
- refactor logic to generate the real sender address, and also handle
  reply-to address in the same place
- update documentation
@ThiefMaster
Add i18n + improve typing
fcbfaaf
@ThiefMaster ThiefMaster mentioned this pull request Nov 18, 2024
Merged
@ThiefMaster ThiefMaster merged commit c19b6f7 into indico:master Nov 18, 2024
9 checks passed
@ThiefMaster ThiefMaster deleted the add-email-sender branch November 18, 2024 12:12
SegiNyn added a commit to UNOG-Indico/indico-core that referenced this pull request Nov 20, 2024
@SegiNyn @ThiefMaster
Avoid spoofing email senders (indico#6231)
5de043d 
Co-authored-by: Adrian Moennich <[email protected]>
AjobK pushed a commit to AjobK/indico that referenced this pull request Dec 19, 2024
@SegiNyn @ThiefMaster @AjobK
Avoid spoofing email senders (indico#6231)
8ff71b4 
Co-authored-by: Adrian Moennich <[email protected]>
AjobK pushed a commit to AjobK/indico that referenced this pull request Jan 7, 2025
@SegiNyn @ThiefMaster @AjobK
Avoid spoofing email senders (indico#6231)
ccdc3e3 
Co-authored-by: Adrian Moennich <[email protected]>
AjobK pushed a commit to AjobK/indico that referenced this pull request Jan 7, 2025
@SegiNyn @ThiefMaster @AjobK
Avoid spoofing email senders (indico#6231)
b8c643b 
Co-authored-by: Adrian Moennich <[email protected]>
This was referenced Apr 5, 2025
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThiefMaster ThiefMaster ThiefMaster left review comments

@tomasr8 tomasr8 tomasr8 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v3.3

Development

Successfully merging this pull request may close these issues.

3 participants

@SegiNyn @ThiefMaster @tomasr8