Re: [Evolution] Outlook <-> Evolution Free/Busy problem. A solution.

From: "Zot O'Connor" <zot zotconsulting com>
To: Evolution List <evolution ximian com>
Subject: Re: [Evolution] Outlook <-> Evolution Free/Busy problem. A solution.
Date: 22 Jan 2002 10:42:20 -0800

Thinking (off the top of my head),

If I fake the email header coming in, I can over write the calendar for
anyone, correct?  the script (below) seems to implicitly trust the $FROM
field in the headers.

The only way around that I see is to
a)  Add a PGP sig and check, pretty easy actually.
b)  Add a password to the process.

I see a few ways to add a password:

a)  Use an extra field.  Yes this is clear text, but it helps a lot.
  With I do not see how to add fields, which makes things like majordomo
auth tricky.  We could add a "password email" to reply-to (or bcc).
b)  Add it to the top of the file.  ripmime *should* still work.
c)  Add it to the name of the fb email (fb+password cal domain tld). 
[Interesting evo's email identifier did not add 'fb+' to the blue email
here.]
d)  Add a password file as an attachment.


Or if I am going to modify evo:
I) Have evo add it as a special header.
II)  Have evo encrypt the cal information and send it.
III) Have evo add the password as a mime type, or as file attachment.


----------
BTW the procmail script wins many coolness points from several people
looking at this!


-----------


5 Create a user fb

- Use this script in the .procmailrc of user fb:
------------------------------------
FROM=`formail -rt -xTo:`

#* ^Content-Type: text/calendar
:0 
* ^Subject: Free/Busy information
| /usr/local/bin/ripmime -d /home/fb -i - ; \
  OUT=`echo $FROM | sed -e 's/^\([a-zA-Z]*\).*$/\1/g'` ;\
  cat /home/fb/freebusy.ifb | sed 's/CALSCALE:GREGORIAN//' | tr -s
'\n\n' > /home/fb/$OUT.vfb ;\
  chmod 644 /home/fb/$OUT.vfb
------------------------------------
The quite tropical script removes the line with CALSCALE:GREGORIAN on
the fly to fix a problem with OL not understanding it.

------------------------------------------------------
Well, that should be close to all I have to say about that. Now let's
hear the comments on this!

Regards, 



On Tue, 2002-01-22 at 01:36, Roald de Wit wrote:

On Tue, 2002-01-22 at 01:36, Zot O'Connor wrote:

Have you given thought to signing the cal from evo with PGP and
verifying it in the script?  That would solve some security issues we
have considered with the publish (from Outlook).


No, I didn't. That is too much for our needs. We only publish on our
intranet and trust our users (a little more than the outside world). ;-)

The ftp account is only accessible from our intranet. Maybe it's
possible for people knowing how our procmail script works to trick it
into doing things it wasn't supposed to. If you see a possible security
problem in it, please tell me!

Regards,

Roald

-- 
Zot O'Connor

http://www.ZotConsulting.com
http://www.WhiteKnightHackers.com

References:
- [Evolution] Outlook <-> Evolution Free/Busy problem. A solution.
  - From: Roald de Wit

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]