Thinking (off the top of my head), If I fake the email header coming in, I can over write the calendar for anyone, correct? the script (below) seems to implicitly trust the $FROM field in the headers.
The only way around that I see is to a) Add a PGP sig and check, pretty easy actually. b) Add a password to the process. I see a few ways to add a password: a) Use an extra field. Yes this is clear text, but it helps a lot. With I do not see how to add fields, which makes things like majordomo auth tricky. We could add a "password email" to reply-to (or bcc). b) Add it to the top of the file. ripmime *should* still work. c) Add it to the name of the fb email ([EMAIL PROTECTED]). [Interesting evo's email identifier did not add 'fb+' to the blue email here.] d) Add a password file as an attachment. Or if I am going to modify evo: I) Have evo add it as a special header. II) Have evo encrypt the cal information and send it. III) Have evo add the password as a mime type, or as file attachment. ---------- BTW the procmail script wins many coolness points from several people looking at this! ----------- 5 Create a user fb - Use this script in the .procmailrc of user fb: ------------------------------------ FROM=`formail -rt -xTo:` #* ^Content-Type: text/calendar :0 * ^Subject: Free/Busy information | /usr/local/bin/ripmime -d /home/fb -i - ; \ OUT=`echo $FROM | sed -e 's/^\([a-zA-Z]*\).*$/\1/g'` ;\ cat /home/fb/freebusy.ifb | sed 's/CALSCALE:GREGORIAN//' | tr -s '\n\n' > /home/fb/$OUT.vfb ;\ chmod 644 /home/fb/$OUT.vfb ------------------------------------ The quite tropical script removes the line with CALSCALE:GREGORIAN on the fly to fix a problem with OL not understanding it. ------------------------------------------------------ Well, that should be close to all I have to say about that. Now let's hear the comments on this! Regards, On Tue, 2002-01-22 at 01:36, Roald de Wit wrote: > On Tue, 2002-01-22 at 01:36, Zot O'Connor wrote: > > Have you given thought to signing the cal from evo with PGP and > > verifying it in the script? That would solve some security issues we > > have considered with the publish (from Outlook). > > No, I didn't. That is too much for our needs. We only publish on our > intranet and trust our users (a little more than the outside world). ;-) > > The ftp account is only accessible from our intranet. Maybe it's > possible for people knowing how our procmail script works to trick it > into doing things it wasn't supposed to. If you see a possible security > problem in it, please tell me! > > Regards, > > Roald > > -- Zot O'Connor http://www.ZotConsulting.com http://www.WhiteKnightHackers.com _______________________________________________ evolution maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution
