Server: Invitation send to attendees upon calendar import (also for past events)
Posted on #nextcloud on freenode irc
[15:12:36] just setting up nextcloud on a freebsd server today, and made a test user account and imported some account data from a google account. I imported a calendar and while importing the calendar nextcloud started to notify contacts for past appointments.....
[15:12:45] nextcloud 11.0 stable
[15:13:26] shutdown the postfix service and will remove the queue but guys this is quite an oversight....
[15:17:54] That sounds like a good github issue
[15:18:18] I'm a little surprised it doesn't check whether the date of an appointment is in the past before sending a notification
[15:18:43] there is about 10 years of google appointments getting mailed out to contacts
[15:18:52] import not yet complete
[15:19:07] pretty stunning oversight
[15:20:50] also as the user has not yet defined an email address the mail is going to the postmaster for the domain rofl....
[15:22:07] so basically the calendar app upon import even without a user defining an email address sends out mail via an imagined user/email address named after the site name @ the config domain name
Update 1
X-PHP-Originating-Script: 80:SimpleMailInvoker.php
you guys gotta patch this asap
There should be no immediate outbound mail triggered by importing data from outside data source. The import was not even half way through and the mails were flying out....
your calendar app sent out emails to 10 years of google calendar invitees..... really?
spammers can use this flaw actually...
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=ACCEPTED;CN=Some Dude ;X-NUM-GUESTS=0:mailto:[email protected]
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;CN=Some Dude;X-NUM-GUESTS=0:mailto:[email protected]
Steps to reproduce
- new fresh install unknown if a relevant step
- create admin user unknown if a relevant step
- create normal user unknown if a relevant step
- do not create email account for normal user unknown if a relevant step
- import google calendar which includes previous events with invited contacts
Expected behaviour
upon Importation of google Calendar with past or present events with included invitees should never activate an immediate sending of invitations.
Actual behaviour
importing the calendar nextcloud started to notify contacts for past appointments
Server configuration
FreeBSD 11.0 -p6
Apache 2.4.25
mysql-server 5.6.34
PHP Version: 5.6.29
Memory Limit: 512.0 MB
Max Execution Time: 3600
Upload max size: 511.0 MB
Nextcloud version: 11
Fresh Install
Source from nextcloud.com
Signing status:
Signing status
Login as admin user into your Nextcloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.
List of activated apps:
App list
The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php
Enabled:
- activity: 2.4.1
- admin_audit: 1.1.0
- announcementcenter: 3.0.0
- apporder: 0.3.3
- audioplayer: 1.4.0
- bookmarks: 0.9.1
- calendar: 1.4.1
- comments: 1.1.0
- contacts: 1.5.2
- dav: 1.1.1
- direct_menu: 0.9.3
- encryption: 1.4.1
- external: true
- federatedfilesharing: 1.1.1
- federation: 1.1.1
- files: 1.6.1
- files_accesscontrol: 1.1.2
- files_external: 1.1.2
- files_pdfviewer: 1.0.1
- files_sharing: 1.1.1
- files_texteditor: 2.2
- files_trashbin: 1.1.0
- files_versions: 1.4.0
- files_videoplayer: 1.0.0
- firstrunwizard: 2.0
- gallery: 16.0.0
- gpxedit: 0.0.3
- logreader: 2.0.0
- lookup_server_connector: 1.0.0
- mail: 0.6.2
- nextcloud_announcements: 1.0
- notes: 2.1.0
- notifications: 1.0.1
- password_policy: 1.1.0
- previewgenerator: 1.0.1
- provisioning_api: 1.1.0
- richdocuments: 1.1.24
- serverinfo: 1.1.1
- sharebymail: 1.0.1
- spreed: 1.1.2
- spreedme: 0.3.5
- survey_client: 0.1.5
- systemtags: 1.1.3
- tasks: 0.9.4
- templateeditor: 0.2
- theming: 1.1.1
- twofactor_backupcodes: 1.0.0
- updatenotification: 1.1.1
- user_external: 0.4
- workflowengine: 1.1.1
Disabled:
- files_automatedtagging
- files_retention
- user_ldap
- user_saml
The content of config/config.php:
Config report
The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php
{
"system": {
"instanceid": "ocha0opv8gho",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"www.aventia.pw"
],
"datadirectory": "\/usr\/local\/www\/nextcloudav\/data",
"overwrite.cli.url": "https:\/\/www.aventia.pw\/thera",
"dbtype": "sqlite3",
"version": "11.0.0.10",
"logtimezone": "UTC",
"installed": true
}
}
Are you using external storage, if yes which one:
no
Are you using encryption: yes
Are you using an external user-backend, if yes which one:
no
Browser: Chrome current
**Operating system: OSX 10.9.5
Logs
Web server error log
Web server error log
Insert your webserver log here
Nextcloud log (data/nextcloud.log)
Nextcloud log
Insert your Nextcloud log here
Browser log
Browser log
Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...
Oclair
All 31 comments
perhaps this may also be relevant...
phpmailer vulnerability CVE-2016-10033 https://thehackernews.com/2016/12/phpmailer-security.html
Oclair
on 26 Dec 2016
@Oclair Not at all relevant.
I think I can confirm the issue.
tcitworld
on 27 Dec 2016
I can confirm this bug, btw.
jospoortvliet
on 2 Jan 2017
I don't think this is a regression.
georgehrke
on 2 Jan 2017
ah ok, sorry
jospoortvliet
on 2 Jan 2017
I've been reading a bit into RFC 6047 and 6638, though I'm not completely sure what the expected behavior is. maybe @evert can help :)
georgehrke
on 2 Jan 2017
We've had this ticket open for a while:
https://github.com/fruux/sabre-dav/issues/569
I don't think I was able to find any information in RFCs about how past events should be treated, but it does make sense to me that our default ImipPlugin ignores any events that have already happened.
evert
on 3 Jan 2017
@evert @georgehrke my suggestion would be:
default ImipPlugin ignores any events that have already happened.
also default ImipPlugin ignores any events that have not yet already happened with an option to turn on
Oclair
on 17 Jan 2017
@evert @georgehrke my suggestion would be:
default ImipPlugin ignores any events that have already happened.
yay
also default ImipPlugin ignores any events that have not yet already happened with an option to turn on
nay. Sending out invitations for events is a feature. If anything, we make it opt-out and not opt-in.
I could imagine adding a checkbox in the import dialog that asks if you want to send invitations for future events, checked by default. cc @jancborchardt
georgehrke
on 17 Jan 2017
That seems a decent solution, yes.
jospoortvliet
on 7 Feb 2017
Can this be prioritized? It sort of makes the calendar plugin useless (or very very annoying) if you want to migrate from one calendar system to Nextcloud.
GanimanSwift
on 22 May 2017
I had the impression that this was fixed i a subsequent update, is this
issue still not resolved @GanimanSwift ?
On 5/22/17 18:44, GanimanSwift wrote:
>
Can this be prioritized? It sort of makes the calendar plugin useless
(or very very annoying) if you want to migrate from one calendar
system to Nextcloud.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nextcloud/server/issues/2855#issuecomment-303155347,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAl0eyHNj2AiEebrJqkc5xwCfi_zb8ufks5r8btngaJpZM4LVTNC.
Oclair
on 22 May 2017
@Oclair We have experienced it this morning on the most current Nextcloud and Cal plugins. A user imported a calendar through the Nextcloud web interface, and after importing, all attendees from past and present appointments were e-mailed invitations. After opening an issue in the plugin's github, @georgehrke notified me there was an open issue for this.
GanimanSwift
on 22 May 2017
I think this bug should be treated with much higher priority. I just sent out about 200 invitations about events happened in 2006. Not cool.
belidzs
on 8 Jun 2017
@belidzs This issue is already assigned to the very next release 12.0.1
georgehrke
on 8 Jun 2017
@georgehrke
This issue is already assigned to the very next release 12.0.1
Since RC1 is already released, will this be postponed?
enoch85
on 18 Jul 2017
probably as https://github.com/nextcloud/server/pull/5304 was not merged yet :/
georgehrke
on 18 Jul 2017
I'm actually not sure RC1 is out, we're still tracking down some nasty filecache issue...
jospoortvliet
on 18 Jul 2017
Can we please have this merged in to the next release? It's been a pretty big bug for about 8 months now. Seems like a long time to wait for this to be officially fixed.
GanimanSwift
on 18 Jul 2017
Seriously, this is a pretty severe bug and still not fixed after 8 month. If it cannot be fixed in a timely manner, please add at least a warning in the import dialog. A workaround would then be to remove the mail config, import and re add it.
Unfortunately I first saw this issue after importing a large calendar.
fmoessbauer
on 11 Aug 2017
Seriously, this is a pretty severe bug and still not fixed after 8 month.
Actually the bug probably has existed much longer, it was only reported 8 months ago :(
Oclair
on 11 Aug 2017
@fmoessbauer @Oclair There is already a fix waiting to be merged.
If you want to help speed it up, please help review https://github.com/nextcloud/server/pull/5304
georgehrke
on 11 Aug 2017
@georgehrke I thought you said this was going to be in the next release? Well, 12.0.1 and 12.0.2 have been released since you said that, and I still don't see a fix for this being merged in. Can we please get an update?
GanimanSwift
on 15 Aug 2017
@GanimanSwift see his previous comment: #5304 needs testing and reviewing. If you could install the patch, try it, see if it does what it should and doesn't break anything and report back in the tread that would be helpful and speed this up...
jospoortvliet
on 16 Aug 2017
2855 is fixed by #5304 respectively #5841. Invitations are not sent for past events anymore with this fix. It would be great if the default ImipPlugin has the possibility to send invitations for future events with an option to turn this off. (as already mentioned)
ggeorgg
on 22 Aug 2017
It would be great if the default ImipPlugin has the possibility to send invitations for future events with an option to turn this off.
5304 introduces a config.php flag for that ;)
https://github.com/nextcloud/server/pull/5304/files#diff-1c5ddac9b0860d83f11372020ba25fbcR55
georgehrke
on 22 Aug 2017
Wish I would have known about this earlier. Sent out 27766 mails due to that. Yikes.
makuser
on 28 Aug 2017
Fixed with #5841
MorrisJobke
on 30 Aug 2017
@georgehrke that config.php flag, is that documented by anything other than code? Would probably be good to use it when importing calendars ;-)
jospoortvliet
on 18 Sep 2017
@jospoortvliet See the PR. I removed it upon request from @MorrisJobke and @LukasReschke
Will send a new PR for that.
georgehrke
on 24 Sep 2017
Ah, makes sense, sorry for missing that. Thanks!
jospoortvliet
on 25 Sep 2017
Related issues
bruennlein
·
73Comments
ariselseng
·
107Comments
hartundweich
·
71Comments
Floflobel
·
92Comments
j-ed
·
75Comments
Most helpful comment
yay
nay. Sending out invitations for events is a feature. If anything, we make it opt-out and not opt-in.
I could imagine adding a checkbox in the import dialog that asks if you want to send invitations for future events, checked by default. cc @jancborchardt