[tor-bugs] #12089 [BridgeDB]: BridgedDB can be forced to email arbitrary email addresses

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Aug 4 01:14:29 UTC 2014


#12089: BridgedDB can be forced to email arbitrary email addresses
--------------------------+--------------------------------------
     Reporter:  isis      |      Owner:  isis
         Type:  defect    |     Status:  reopened
     Priority:  critical  |  Milestone:
    Component:  BridgeDB  |    Version:
   Resolution:            |   Keywords:  bridgedb-email, security
Actual Points:            |  Parent ID:
       Points:            |
--------------------------+--------------------------------------
Changes (by isis):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 Some of the fix for #12089 was disabled by #12627:

 {{{
 commit 422410756a7752d6af5b881776fb107fd5e6335e (tpo-
 isis/fix/12627-hotfixes, isislovecruft/fix/12627-hotfixes,
 greyarea/fix/12627-hotfixes, fix/12627-hotfixes)
 Author:     Matthew Finkel <sysrqb at torproject.org>
 AuthorDate: Sat Jul 19 03:33:56 2014 +0000
 Commit:     Isis Lovecruft <isis at torproject.org>
 CommitDate: Tue Jul 22 22:26:42 2014 +0000

     Revert check for SMTP/email header canonical hostname equivalence.

     Signed-off-by: Isis Lovecruft <isis at torproject.org>

     For now, we need to revert this check to get the email distributor to
     function. We should look into this issue in order to get BridgeDB in a
     state where instances of it are runnable by other organisations to
 hand
     out their own bridges. [OTHER_ORG]

     Fixing this is essential for #12089.

 diff --git a/lib/bridgedb/email/autoresponder.py
 b/lib/bridgedb/email/autoresponder.py
 index 7e5f900..3674702 100644
 --- a/lib/bridgedb/email/autoresponder.py
 +++ b/lib/bridgedb/email/autoresponder.py
 @@ -631,12 +631,12 @@ class SMTPAutoresponder(smtp.SMTPClient):

          # The canonical domains from the SMTP ``MAIL FROM:`` and the
 email
          # ``From:`` header should match:
 -        if self.incoming.canonicalFromSMTP !=
 self.incoming.canonicalFromEmail:
 -            logging.error("SMTP/Email canonical domain mismatch!")
 -            logging.debug("Canonical domain mismatch: %s != %s"
 -                          % (self.incoming.canonicalFromSMTP,
 -                             self.incoming.canonicalFromEmail))
 -            return False
 +        #if self.incoming.canonicalFromSMTP !=
 self.incoming.canonicalFromEmail:
 +        #    logging.error("SMTP/Email canonical domain mismatch!")
 +        #    logging.debug("Canonical domain mismatch: %s != %s"
 +        #                  % (self.incoming.canonicalFromSMTP,
 +        #                     self.incoming.canonicalFromEmail))
 +        #    return False

          self.incoming.domainRules =
 self.incoming.context.domainRules.get(
              self.incoming.canonicalFromEmail, list())
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12089#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list