synox / disposable-email-imap Goto Github PK

I'm slowly working on a implementation of refresh on new mail, no code done but using waiting.html checkMails as a reference. As it is right now i just have a button that does onClick="history.go(0)"
And while i was hashing out the idea i quickly realized that having the page refresh at intervals would be annoying while reading an email. Then again we could set up a pool of ~5m and then eventually integrate a desktop notification of new mail (testing the concept on OS X)

I was wondering if you had thoughts about this before i start.

I've been trying to delete messages every hour as a test and i can't seem to manage this.
I'm using the following snippet

$before = date('d-m-Y H:i:s', strtotime('1 hour ago'));

based on vendor/php-imap/php-imap/src/PhpImap/Mailbox.php it seems to be only showing date and not datetime.

Yet it seems to support the time format

$mail->date = date('d-m-Y H:i:s', isset($head->date) ? strtotime(preg_replace('/\(.*?\)/', '', $head->date)) : time());

On PHP5-FPM (5.5.9) with php5-imap module:

Fatal error: Call to undefined function imap_sort() in /var/www/h0t.in/mail/index.php on line 138

Any ideas?

any way I can run this on nginx?

Currently the html and source functions do not check the parameters properly, and all emails can easily be enumared.

Do you think that is valid if we implement a temporary cookie block other users from accessing a given mail? Because as the software is today, multiple users can have access to the same mailbox, what can allow a malicious user to search for mails on all possible mailboxes on the server. The cookie should be encrypted with strong encryption and a random key for every mail boxes, to keep cookie stealers from identifying what mail box was locked to the user browser. If we are using HTTPS, only the server will know what mail is locked to that browser. The cookie should be deleted on tab closing, if the user click that back or refresh button and for every new tab, with every new mail, a new encrypted cookie should be set. We can use javascript onbeforeunload and onunload to first alert the user that if he leaves the page the session will be terminated and then delete the cookie.

A statement that the service store a cookie for that should be made, of course, but such implementation should be pretty privacy friendly.