[Bug 3280] opac/opac-sendbasket.pl security leaky
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3280 --- Comment #12 from Frère Sébastien Marie <semarie-koha@latrappe.fr> --- (En réponse au commentaire 11)
(En réponse au commentaire 10)
One question remains: It works for me. But if you change the From address to the patron's address, could we have Relay Access Denied errors or similar? A mail server could reject outgoing mail if not sent from designated domains?
Yes, it is possible that mail will be reported as spam, if the patron address use SPF (spam prevention system based on whitelist of smtp authorised to send email for particuliar domain).
So it is possible to remove using GetFirstValidEmailAddress($borrowernumber) as
From address, and inconditionnally use C4::Context->preference('KohaAdminEmailAddress').
But I think we should include *in the body* the name/address of the sender: "This mail was sent to you from $user->{firstname} $user->{surname} <$user_email>" So authentificated user will not abuse sending email using opac-sendbasket.pl We could also add a Reply-To field with "$user->{firstname} $user->{surname} <$user_email>" ? (in order to prevent error like press the reply-to button and mail to KohaAdminEmailAddress instead of $user_email) -- You are receiving this mail because: You are the QA Contact for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org