coto
commented
11 years ago Thanks @TheRook I have been insanely busy last time, would you like to be a core committer, I see your background is pretty good for sharing your knowledge with the community
Closed TheRook closed 10 years ago
coto
commented
11 years ago Thanks @TheRook I have been insanely busy last time, would you like to be a core committer, I see your background is pretty good for sharing your knowledge with the community
snvandoorn
commented
11 years ago Definitely something to fix before going live with anything serious. I suggest to always add a signature to all entries in the email-task.queue. Unmatching signatures, are deleted from task queue without sending emails. Ok? Will fix in 23.09.13
It was found that gae-boilerplate will allow an attacker to transmit an arbitrary email to an address of their choice. This vulnerability is high risk, as it is very useful to spammers.
Steps to reproduce the issue: 1)Clone gae-boilerplate 2)push this default instance of gae-boilerplate to google AppEngine 3)The following HTTP request sent by CURL will force gae-boilerplate to send an email curl "http://some-install-of-gae-boilerplate/taskqueue-send-email/?to=i_love_spam@gmail.com&subject=viagra&body=viagra&sender=test@appspot.com" -d ""
Google suggests requiring "admin" access to execute cronjobs: https://developers.google.com/appengine/docs/python/config/cron#Securing_URLs_for_Cron
By not having access control anyone can invoke the SendEmailHandler() request handler and send email.