[
https://issues.apache.org/jira/browse/JAMES-1734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15276364#comment-15276364
]
Matthieu Baechler commented on JAMES-1734:
------------------------------------------
backticks don't work on JIRA, you have to use {noformat}{code}{noformat}
> As an authenticated JMAP user, I can prentend to be someone else in the mails
> I send
> ------------------------------------------------------------------------------------
>
> Key: JAMES-1734
> URL: https://issues.apache.org/jira/browse/JAMES-1734
> Project: James Server
> Issue Type: Bug
> Components: JMAP
> Affects Versions: Trunk
> Reporter: Tellier Benoit
> Assignee: Tellier Benoit
> Fix For: Trunk
>
>
> Scenario :
> Bob and Alice are together an happy couple. William is jaleaous of this. He
> decides to send a mail to Alice, with Bob identity to tell her Bob decided to
> brake up.
> To do this, Bob proceide a JMAP post on setMessages endpoint on outbox. He
> then uses bob address in the from field.
> Alice will receive a mail from bob saying they broke up. And she will believe
> it, cry all the night and meet William.
> Code snipsets : failing test :
> ```
> @Test
> public void test() throws Exception {
>
> jmapServer.serverProbe().createMailbox(MailboxConstants.USER_NAMESPACE,
> username, "sent");
> jmapServer.serverProbe().addUser("b...@domain.tld", "1234");
> jmapServer.serverProbe().addUser("al...@domain.tld", "1234");
> String requestBody = "[" +
> " [" +
> " \"setMessages\","+
> " {" +
> " \"create\": { \"user|inbox|1\" : {" +
> " \"from\": { \"email\": \"b...@domain.tld\"}," +
> " \"to\": [{ \"name\": \"Alice\", \"email\":
> \"al...@domain.tld\"}]," +
> " \"cc\": [{ \"name\": \"ALICE\"}]," +
> " \"subject\": \"Alice, I break up with you !\"," +
> " \"textBody\": \"In this mail usern...@domain.tld
> pretends to be us...@domain.tld, and takes advantage of it\"," +
> " \"mailboxIds\": [\"" + getOutboxId() + "\"]" +
> " }}" +
> " }," +
> " \"#0\"" +
> " ]" +
> "]";
> // Given
> given()
> .accept(ContentType.JSON)
> .contentType(ContentType.JSON)
> .header("Authorization", accessToken.serialize())
> .body(requestBody)
> // When
> .when()
> .post("/jmap")
> .prettyPeek();
> // Then
> AccessToken user2AccessToken = accessToken =
> JmapAuthentication.authenticateJamesUser("al...@domain.tld", "1234");
>
> Thread.sleep(10000);
> with()
> .accept(ContentType.JSON)
> .contentType(ContentType.JSON)
> .header("Authorization", user2AccessToken.serialize())
> .body("[[\"getMessageList\", {\"fetchMessages\":true,
> \"fetchMessageProperties\":[\"from\", \"subject\", \"textBody\"]}, \"#0\"]]")
> .when()
> .post("/jmap")
> .prettyPeek();
> }
> ```
> Jmap responses :
> William :
> ```
> [
> [
> "messagesSet",
> {
> "accountId": null,
> "oldState": null,
> "newState": null,
> "created": {
> "user|inbox|1": {
> "id": "usern...@domain.tld|outbox|1",
> "blobId": "1",
> "threadId": "usern...@domain.tld|outbox|1",
> "mailboxIds": [
> "cf265170-1299-11e6-9382-c5a352d114a2"
> ],
> "inReplyToMessageId": null,
> "isUnread": false,
> "isFlagged": false,
> "isAnswered": false,
> "isDraft": false,
> "hasAttachment": false,
> "headers": {
> "cc": " ",
> "date": "Thu, 5 May 2016 15:17:29 +0700",
> "bcc": " ",
> "sender": "b...@domain.tld",
> "subject": "Alice, I break up with you !",
> "message-id": "user|inbox|1",
> "from": "b...@domain.tld",
> "to": "Alice <al...@domain.tld>",
> "reply-to": " "
> },
> "from": {
> "name": "b...@domain.tld",
> "email": "b...@domain.tld"
> },
> "to": [
> {
> "name": "Alice",
> "email": "al...@domain.tld"
> }
> ],
> "cc": [
>
> ],
> "bcc": [
>
> ],
> "replyTo": [
>
> ],
> "subject": "Alice, I break up with you !",
> "date": "2016-05-05T08:17:29.974Z",
> "size": 297,
> "preview": "In this mail usern...@domain.tld pretends to
> be us...@domain.tld, and takes advantage of it",
> "textBody": "In this mail usern...@domain.tld pretends to
> be us...@domain.tld, and takes advantage of it",
> "htmlBody": null,
> "attachments": [
>
> ],
> "attachedMessages": {
>
> }
> }
> },
> "updated": [
>
> ],
> "destroyed": [
>
> ],
> "notCreated": {
>
> },
> "notUpdated": {
>
> },
> "notDestroyed": {
>
> }
> },
> "#0"
> ]
> ]
> ```
> Alice :
> ```
> [
> [
> "messageList",
> {
> "accountId": null,
> "filter": null,
> "sort": [
>
> ],
> "collapseThreads": false,
> "state": null,
> "canCalculateUpdates": false,
> "position": 0,
> "total": 0,
> "threadIds": [
>
> ],
> "messageIds": [
> "al...@domain.tld|INBOX|1"
> ]
> },
> "#0"
> ],
> [
> "messages",
> {
> "notFound": [
>
> ],
> "list": [
> {
> "id": "al...@domain.tld|INBOX|1",
> "from": {
> "name": "b...@domain.tld",
> "email": "b...@domain.tld"
> },
> "subject": "Alice, I break up with you !",
> "textBody": "In this mail usern...@domain.tld pretends to
> be us...@domain.tld, and takes advantage of it"
> }
> ]
> },
> "#0"
> ]
> ]
> ```
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
