james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tellier Benoit (JIRA)" <server-...@james.apache.org>
Subject [jira] [Closed] (JAMES-1734) As an authenticated JMAP user, I can prentend to be someone else in the mails I send
Date Thu, 19 May 2016 02:31:12 GMT

     [ https://issues.apache.org/jira/browse/JAMES-1734?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Tellier Benoit closed JAMES-1734.
---------------------------------

> As an authenticated JMAP user, I can prentend to be someone else in the mails I send
> ------------------------------------------------------------------------------------
>
>                 Key: JAMES-1734
>                 URL: https://issues.apache.org/jira/browse/JAMES-1734
>             Project: James Server
>          Issue Type: Bug
>          Components: JMAP
>    Affects Versions: Trunk
>            Reporter: Tellier Benoit
>            Assignee: Tellier Benoit
>             Fix For: Trunk
>
>
> Scenario :
> Bob and Alice are together an happy couple. William is jaleaous of this. He decides to
send a mail to Alice, with Bob identity to tell her Bob decided to brake up.
> To do this, Bob proceide a JMAP post on setMessages endpoint on outbox. He then uses
bob address in the from field.
> Alice will receive a mail from bob saying they broke up. And she will believe it, cry
all the night and meet William.
> Code snipsets : failing test :
> ```
>     @Test
>     public void test() throws Exception {
>         jmapServer.serverProbe().createMailbox(MailboxConstants.USER_NAMESPACE, username,
"sent");
>         jmapServer.serverProbe().addUser("bob@domain.tld", "1234");
>         jmapServer.serverProbe().addUser("alice@domain.tld", "1234");
>         String requestBody = "[" +
>             "  [" +
>             "    \"setMessages\","+
>             "    {" +
>             "      \"create\": { \"user|inbox|1\" : {" +
>             "        \"from\": { \"email\": \"bob@domain.tld\"}," +
>             "        \"to\": [{ \"name\": \"Alice\", \"email\": \"alice@domain.tld\"}],"
+
>             "        \"cc\": [{ \"name\": \"ALICE\"}]," +
>             "        \"subject\": \"Alice, I break up with you !\"," +
>             "        \"textBody\": \"In this mail username@domain.tld pretends to be
user1@domain.tld, and takes advantage of it\"," +
>             "        \"mailboxIds\": [\"" + getOutboxId() + "\"]" +
>             "      }}" +
>             "    }," +
>             "    \"#0\"" +
>             "  ]" +
>             "]";
>         // Given
>         given()
>             .accept(ContentType.JSON)
>             .contentType(ContentType.JSON)
>             .header("Authorization", accessToken.serialize())
>             .body(requestBody)
>             // When
>             .when()
>             .post("/jmap")
>             .prettyPeek();
>         // Then
>         AccessToken user2AccessToken = accessToken = JmapAuthentication.authenticateJamesUser("alice@domain.tld",
"1234");
>         
>         Thread.sleep(10000);
>         with()
>             .accept(ContentType.JSON)
>             .contentType(ContentType.JSON)
>             .header("Authorization", user2AccessToken.serialize())
>             .body("[[\"getMessageList\", {\"fetchMessages\":true, \"fetchMessageProperties\":[\"from\",
\"subject\", \"textBody\"]}, \"#0\"]]")
>         .when()
>             .post("/jmap")
>             .prettyPeek();
>     }
> ```
> Jmap responses : 
> William :
> ```
> [
>     [
>         "messagesSet",
>         {
>             "accountId": null,
>             "oldState": null,
>             "newState": null,
>             "created": {
>                 "user|inbox|1": {
>                     "id": "username@domain.tld|outbox|1",
>                     "blobId": "1",
>                     "threadId": "username@domain.tld|outbox|1",
>                     "mailboxIds": [
>                         "cf265170-1299-11e6-9382-c5a352d114a2"
>                     ],
>                     "inReplyToMessageId": null,
>                     "isUnread": false,
>                     "isFlagged": false,
>                     "isAnswered": false,
>                     "isDraft": false,
>                     "hasAttachment": false,
>                     "headers": {
>                         "cc": " ",
>                         "date": "Thu, 5 May 2016 15:17:29 +0700",
>                         "bcc": " ",
>                         "sender": "bob@domain.tld",
>                         "subject": "Alice, I break up with you !",
>                         "message-id": "user|inbox|1",
>                         "from": "bob@domain.tld",
>                         "to": "Alice <alice@domain.tld>",
>                         "reply-to": " "
>                     },
>                     "from": {
>                         "name": "bob@domain.tld",
>                         "email": "bob@domain.tld"
>                     },
>                     "to": [
>                         {
>                             "name": "Alice",
>                             "email": "alice@domain.tld"
>                         }
>                     ],
>                     "cc": [
>                         
>                     ],
>                     "bcc": [
>                         
>                     ],
>                     "replyTo": [
>                         
>                     ],
>                     "subject": "Alice, I break up with you !",
>                     "date": "2016-05-05T08:17:29.974Z",
>                     "size": 297,
>                     "preview": "In this mail username@domain.tld pretends to be user1@domain.tld,
and takes advantage of it",
>                     "textBody": "In this mail username@domain.tld pretends to be user1@domain.tld,
and takes advantage of it",
>                     "htmlBody": null,
>                     "attachments": [
>                         
>                     ],
>                     "attachedMessages": {
>                         
>                     }
>                 }
>             },
>             "updated": [
>                 
>             ],
>             "destroyed": [
>                 
>             ],
>             "notCreated": {
>                 
>             },
>             "notUpdated": {
>                 
>             },
>             "notDestroyed": {
>                 
>             }
>         },
>         "#0"
>     ]
> ]
> ```
> Alice : 
> ```
> [
>     [
>         "messageList",
>         {
>             "accountId": null,
>             "filter": null,
>             "sort": [
>                 
>             ],
>             "collapseThreads": false,
>             "state": null,
>             "canCalculateUpdates": false,
>             "position": 0,
>             "total": 0,
>             "threadIds": [
>                 
>             ],
>             "messageIds": [
>                 "alice@domain.tld|INBOX|1"
>             ]
>         },
>         "#0"
>     ],
>     [
>         "messages",
>         {
>             "notFound": [
>                 
>             ],
>             "list": [
>                 {
>                     "id": "alice@domain.tld|INBOX|1",
>                     "from": {
>                         "name": "bob@domain.tld",
>                         "email": "bob@domain.tld"
>                     },
>                     "subject": "Alice, I break up with you !",
>                     "textBody": "In this mail username@domain.tld pretends to be user1@domain.tld,
and takes advantage of it"
>                 }
>             ]
>         },
>         "#0"
>     ]
> ]
> ```



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message