Unique aliases are not identified as unique in edge cases [#660102]

When using mailalias to develop almost identical solution for us, I spotted one flaw in the way how Mailalias & Mailhandler identify aliases when authenticating users:

- Imagine user with alias myalias@domain.com
- Imagine second user with alias flawed-myalias@domain.com

Because the check is LIKE '%alias%' against serialized user object, if flawed-myalias sends an email to mailhandler, it might actually be identified as myalias@domain.com since it will also return true for that LIKE.

First, I thought about creating my own table for aliases but then I solved it using a simple PREFIX and SUFFIX to the alias. myalias@domain.com will then become MAILALIASPREFIX-myalias@domain.com-MAILALIASSUFFIX in database, flawed-myalias@domain.com will be MAILALIASPREFIX-flawed-myalias@domain.com-MAILALIASSUFFIX

Our version of mailhandler authenticate then checks for this prefix too (#11962: Virtual Email Passphrase Authentication): LIKE '%MAILALIASPREFIX...MAILALIASSUFFIX%';

It required:
- Using hook_user op update to save the alias with prefix/suffix
- Changing form op to strip the prefix/suffix when displaying to user
- Using mailhandler authenticate from 11962

I am filling this to mailalias even it requires changes on both of the modules

Comments

Comment #1

moshe weitzman commented 16 December 2009 at 04:57

Any chance you want to maintain this module? I'm no longer checking minding it.

Comment #2

gauravkumar87 commented 26 April 2010 at 08:42

Hi Moshe,

I'm interested in maintaining this project, as I need it for one of my projects. Please let me know if you are still interested in adding a maintainer for this project.