Invitation send to attendees upon calendar import (also for past events)

[Oclair]

Posted on #nextcloud on freenode irc

[15:12:36] just setting up nextcloud on a freebsd server today, and made a test user account and imported some account data from a google account. I imported a calendar and while importing the calendar nextcloud started to notify contacts for past appointments.....
[15:12:45] nextcloud 11.0 stable
[15:13:26] shutdown the postfix service and will remove the queue but guys this is quite an oversight....
[15:17:54] That sounds like a good github issue
[15:18:18] I'm a little surprised it doesn't check whether the date of an appointment is in the past before sending a notification
[15:18:43] there is about 10 years of google appointments getting mailed out to contacts
[15:18:52] import not yet complete
[15:19:07] pretty stunning oversight
[15:20:50] also as the user has not yet defined an email address the mail is going to the postmaster for the domain rofl....
[15:22:07] so basically the calendar app upon import even without a user defining an email address sends out mail via an imagined user/email address named after the site name @ the config domain name

Update 1

X-PHP-Originating-Script: 80:SimpleMailInvoker.php

you guys gotta patch this asap
There should be no immediate outbound mail triggered by importing data from outside data source. The import was not even half way through and the mails were flying out....

your calendar app sent out emails to 10 years of google calendar invitees..... really?

spammers can use this flaw actually...

ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=ACCEPTED;CN=Some Dude ;X-NUM-GUESTS=0:mailto:user@server.nul
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;CN=Some Dude;X-NUM-GUESTS=0:mailto:user@server.nul

Steps to reproduce

1. new fresh install unknown if a relevant step
2. create admin user unknown if a relevant step
3. create normal user unknown if a relevant step
4. do not create email account for normal user unknown if a relevant step
5. import google calendar which includes previous events with invited contacts

Expected behaviour

upon Importation of google Calendar with past or present events with included invitees should never activate an immediate sending of invitations.

Actual behaviour

importing the calendar nextcloud started to notify contacts for past appointments

Server configuration

FreeBSD 11.0 -p6

Apache 2.4.25

mysql-server 5.6.34

PHP Version: 5.6.29
Memory Limit: 512.0 MB
Max Execution Time: 3600
Upload max size: 511.0 MB

Nextcloud version: 11
Fresh Install
Source from nextcloud.com

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

App list

The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php
Enabled:
  - activity: 2.4.1
  - admin_audit: 1.1.0
  - announcementcenter: 3.0.0
  - apporder: 0.3.3
  - audioplayer: 1.4.0
  - bookmarks: 0.9.1
  - calendar: 1.4.1
  - comments: 1.1.0
  - contacts: 1.5.2
  - dav: 1.1.1
  - direct_menu: 0.9.3
  - encryption: 1.4.1
  - external: true
  - federatedfilesharing: 1.1.1
  - federation: 1.1.1
  - files: 1.6.1
  - files_accesscontrol: 1.1.2
  - files_external: 1.1.2
  - files_pdfviewer: 1.0.1
  - files_sharing: 1.1.1
  - files_texteditor: 2.2
  - files_trashbin: 1.1.0
  - files_versions: 1.4.0
  - files_videoplayer: 1.0.0
  - firstrunwizard: 2.0
  - gallery: 16.0.0
  - gpxedit: 0.0.3
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - mail: 0.6.2
  - nextcloud_announcements: 1.0
  - notes: 2.1.0
  - notifications: 1.0.1
  - password_policy: 1.1.0
  - previewgenerator: 1.0.1
  - provisioning_api: 1.1.0
  - richdocuments: 1.1.24
  - serverinfo: 1.1.1
  - sharebymail: 1.0.1
  - spreed: 1.1.2
  - spreedme: 0.3.5
  - survey_client: 0.1.5
  - systemtags: 1.1.3
  - tasks: 0.9.4
  - templateeditor: 0.2
  - theming: 1.1.1
  - twofactor_backupcodes: 1.0.0
  - updatenotification: 1.1.1
  - user_external: 0.4
  - workflowengine: 1.1.1
Disabled:
  - files_automatedtagging
  - files_retention
  - user_ldap
  - user_saml

The content of config/config.php:

Config report

The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php
{
    "system": {
        "instanceid": "ocha0opv8gho",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "www.aventia.pw"
        ],
        "datadirectory": "\/usr\/local\/www\/nextcloudav\/data",
        "overwrite.cli.url": "https:\/\/www.aventia.pw\/thera",
        "dbtype": "sqlite3",
        "version": "11.0.0.10",
        "logtimezone": "UTC",
        "installed": true
    }
}

Are you using external storage, if yes which one:
no

Are you using encryption: yes

Are you using an external user-backend, if yes which one:
no

Browser: Chrome current

**Operating system: OSX 10.9.5

Logs

Web server error log

Web server error log

``` Insert your webserver log here ```

Nextcloud log (data/nextcloud.log)

Nextcloud log

``` Insert your Nextcloud log here ```

Browser log

Browser log

``` Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

</details>

[Oclair]

perhaps this may also be relevant...
phpmailer vulnerability CVE-2016-10033 https://thehackernews.com/2016/12/phpmailer-security.html

[tcitworld]

@Oclair Not at all relevant.

I think I can confirm the issue.

[jospoortvliet]

I can confirm this bug, btw.

[georgehrke]

I don't think this is a regression.

[jospoortvliet]

ah ok, sorry

[georgehrke]

I've been reading a bit into RFC 6047 and 6638, though I'm not completely sure what the expected behavior is. maybe @evert can help :)

[evert]

We've had this ticket open for a while:

https://github.com/fruux/sabre-dav/issues/569

I don't think I was able to find any information in RFCs about how past events should be treated, but it does make sense to me that our default ImipPlugin ignores any events that have already happened.

[Oclair]

@evert @georgehrke my suggestion would be:

1. default ImipPlugin ignores any events that have already happened.

2. also default ImipPlugin ignores any events that have not yet already happened with an option to turn on

[georgehrke]

@evert @georgehrke my suggestion would be:

default ImipPlugin ignores any events that have already happened.

yay

also default ImipPlugin ignores any events that have not yet already happened with an option to turn on

nay. Sending out invitations for events is a feature. If anything, we make it opt-out and not opt-in.
I could imagine adding a checkbox in the import dialog that asks if you want to send invitations for future events, checked by default. cc @jancborchardt

[jospoortvliet]

That seems a decent solution, yes.

[GanimanSwift]

Can this be prioritized? It sort of makes the calendar plugin useless (or very very annoying) if you want to migrate from one calendar system to Nextcloud.

[Oclair]

I had the impression that this was fixed i a subsequent update, is this issue still not resolved @GanimanSwift ?

…

On 5/22/17 18:44, GanimanSwift wrote: Can this be prioritized? It sort of makes the calendar plugin useless (or very very annoying) if you want to migrate from one calendar system to Nextcloud. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2855 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAl0eyHNj2AiEebrJqkc5xwCfi_zb8ufks5r8btngaJpZM4LVTNC>.

[GanimanSwift]

@Oclair We have experienced it this morning on the most current Nextcloud and Cal plugins. A user imported a calendar through the Nextcloud web interface, and after importing, all attendees from past and present appointments were e-mailed invitations. After opening an issue in the plugin's github, @georgehrke notified me there was an open issue for this.

[belidzs]

I think this bug should be treated with much higher priority. I just sent out about 200 invitations about events happened in 2006. Not cool.

[georgehrke]

@belidzs This issue is already assigned to the very next release 12.0.1

[enoch85]

@georgehrke

This issue is already assigned to the very next release 12.0.1

Since RC1 is already released, will this be postponed?

[Oclair]

Seriously, this is a pretty severe bug and still not fixed after 8 month.

Actually the bug probably has existed much longer, it was only reported 8 months ago :(

[georgehrke]

@fmoessbauer @Oclair There is already a fix waiting to be merged.
If you want to help speed it up, please help review #5304

[GanimanSwift]

@georgehrke I thought you said this was going to be in the next release? Well, 12.0.1 and 12.0.2 have been released since you said that, and I still don't see a fix for this being merged in. Can we please get an update?

[jospoortvliet]

@GanimanSwift see his previous comment: #5304 needs testing and reviewing. If you could install the patch, try it, see if it does what it should and doesn't break anything and report back in the tread that would be helpful and speed this up...

[ggeorgg]

#2855 is fixed by #5304 respectively #5841. Invitations are not sent for past events anymore with this fix. It would be great if the default ImipPlugin has the possibility to send invitations for future events with an option to turn this off. (as already mentioned)

[georgehrke]

It would be great if the default ImipPlugin has the possibility to send invitations for future events with an option to turn this off.

#5304 introduces a config.php flag for that ;)
https://github.com/nextcloud/server/pull/5304/files#diff-1c5ddac9b0860d83f11372020ba25fbcR55

[makuser]

Wish I would have known about this earlier. Sent out 27766 mails due to that. Yikes.

[MorrisJobke]

Fixed with #5841

[jospoortvliet]

@georgehrke that config.php flag, is that documented by anything other than code? Would probably be good to use it when importing calendars ;-)

[georgehrke]

@jospoortvliet See the PR. I removed it upon request from @MorrisJobke and @LukasReschke

Will send a new PR for that.

[jospoortvliet]

Ah, makes sense, sorry for missing that. Thanks!

[Mer0me]

Is there a way to avoid sending invitations when importing a calendar ?
What is the recommanded way to migrate about 600 Outlook Calendars to Nextcloud without sending hundreds of invitations already answered ?

[chhaas]

Is there a way to avoid sending invitations when importing a calendar ? What is the recommanded way to migrate about 600 Outlook Calendars to Nextcloud without sending hundreds of invitations already answered ?

hello @Mer0me,

which nextcloud-version you were using?

It happened to me with Nextcloud 17.1 and it was very embarrassing, since also invitations went out for appointments, for which I wasn't even the appointment-owner :-( - no matter if the appointment was in the past or in the future.

Now I'm afraid it could happen also with the recent Nextcloud-releases!

Seems to be a long running problem - see also bug #545

All notifications and invitations should be completely disabled during calendar import, since at the time the appointments were created (in whatever system) generated invitations to attendees and mailed them out. So there is absolutely no need to send again invitations when importing a calendar into nextcloud.

The only way to avoid this seems to me to block the account with which Nextcloud sends the notifications in my Postfix and then clear the queue. But I don't know if there is an retry from Nextcoud, if it can't send the invitation?

[Mer0me]

On NC v27.0.2 with Calendar App v4.4.5 , importing a .ics through the Calendar App still send invitations, even if you import the very same .ics twice.

Workaround : disable invitation sending in Nextcloud Administration panel (groupware section) during the importation. But doing that prevent any user to send invitation through calendar until the parameter is reverted.

Note that even if you import the .ics through a caldav client (like Thunderbird, even if client side email scheduling is checked in TB), when the event is synced on Nextcloud, the invitation is sent as well, unless the invitation sending is disabled in groupware section.

[section1]

Hi all, This problem still happens. a nice feature to have is when importing a calendar in the UI in the importing dialog a checkbox to enabled/disabled the notifications. Is that a possible feature to develop? other option that come to my mind is to have an option to completely enabled/disabled notifications in user settings... like the ones that exists in global settings-> groupware but per-user..

[Oclair]

Seriously this was never resolved?