[Koha-bugs] [Bug 3280] opac/opac-sendbasket.pl security leaky
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Sun Dec 4 19:01:52 CET 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3280
Ian Walls <ian.walls at bywatersolutions.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ian.walls at bywatersolutions.
| |com
--- Comment #1 from Ian Walls <ian.walls at bywatersolutions.com> 2011-12-04 18:01:52 UTC ---
Confirmed this is still an issue.
Not sure there is any good way around this. To truly solve the issue, we'd
need to be able to separate the spam from the ham (as it were), which is too
subjective to handle systematically.
Perhaps instead of allowing arbitrary email addresses, we only allow either
other borrowernumbers (so you can send to your friends) or a selection of one
of the patron's own email addresses. The latter would be much easier than the
former. This would reduce the flexibility of opac-sendbasket, but I think that
flexibility is the fundamental security issue here.
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list