Edgewall Software
Modify

Opened 8 years ago

Last modified 4 years ago

#4286 new defect

Accepts email addresses without validation

Reported by: John Goerzen <jgoerzen@…> Owned by: eblot
Priority: normal Milestone: next-major-releases
Component: notification Version: 0.10.2
Severity: normal Keywords: notification
Cc: jgoerzen@…, thijstriemstra
Release Notes:
API Changes:

Description

trac accepts email addresses without validation several different places — on the New Ticket screen, on the settings screen, etc.

This is bad for several reasons. For starters, it could be abused by spammers. They could put the email address of a victim in the "Your email" box on the New Ticket screen, and submit a ticket to any Trac instance configured to send notifications of new tickets to the submitter.

It could also be used by a miscreant to subscribe an unwitting victim to notifications, as an annoyance.

trac should never send any emails that aren't verified opt-in emails.

Attachments (0)

Change History (13)

comment:1 Changed 8 years ago by eblot

  • Keywords notification added

Sure. On the other side, do spammers really need a proxy such as Trac to relay their spam emails?

I'd rather see this feature as an enhancement than a defect.

comment:2 Changed 8 years ago by John Goerzen <jgoerzen@…>

Yes, it really does happen in the wild, and in fact, has been:

http://www.salted.com/unsalted/contact-form-spam

http://www.google.com/search?q=email+form+spam&ie=utf-8&oe=utf-8&rls=org.debian:en-US:unofficial&client=firefox-a

Please set the type to whatever you like; you know better how your process fits this than I do.

thanks,

— John

comment:3 Changed 7 years ago by cboos

  • Component changed from general to notification
  • Milestone set to 1.0
  • Owner changed from jonas to eblot

comment:4 follow-up: Changed 7 years ago by Pedro Algarvio, aka, s0undt3ch <ufs@…>

Perhaps until this is implemented have a bad_email_addresses setting for [notification] allowing the admin to have a space delimited list of know bad email addresses which would serve to filter the addresses to be notified of changes?

comment:5 Changed 4 years ago by cboos

  • Milestone changed from 1.0 to unscheduled

Milestone 1.0 deleted

comment:6 in reply to: ↑ 4 Changed 4 years ago by Thijs Triemstra <lists@…>

  • Cc lists@… added

Replying to Pedro Algarvio, aka, s0undt3ch <ufs@…>:

Perhaps until this is implemented have a bad_email_addresses setting for [notification] allowing the admin to have a space delimited list of know bad email addresses which would serve to filter the addresses to be notified of changes?

This sounds like a lot more work than a simple regexp that checks for a valid address (which is probably already available in stdlib somewhere?).

Any reason why this hasn't been implemented other than time etc? What would a good patch have to do..

comment:7 Changed 4 years ago by thijstriemstra

  • Cc thijstriemstra added; lists@… removed

#9900 was closed as a duplicate.

comment:8 Changed 4 years ago by Carsten Klein <carsten.klein@…>

comment:9 Changed 4 years ago by Carsten Klein <carsten.klein@…>

An initial prototype of the e-mail address validation facility, for now a direct part of the notification subsystem, is available for review and comment.

See TracDev/Proposals/EmailValidation#CurrentDevelopmentStatus for some information on its state and also TracDev/Proposals/EmailValidation#Repository for information on how to access the repository.

Feel free to comment on the prototype by either putting the information here or in the TracDev/Proposals/EmailValidation#Discussion section of that page.

comment:10 follow-up: Changed 4 years ago by rblank

I'd like to take a look at it. It may take a bit of time, though, as I will have to learn git first :)

comment:11 Changed 4 years ago by thijstriemstra

  • Milestone changed from unscheduled to next-major-0.1X

comment:12 in reply to: ↑ 10 Changed 4 years ago by Carsten Klein <carsten.klein@…>

Replying to rblank:

I'd like to take a look at it. It may take a bit of time, though, as I will have to learn git first :)

see EmailValidation#UsingtheRepository? for a quick guide on how to use it…

comment:13 Changed 4 years ago by Carsten Klein <carsten.klein@…>

here is the correct link: TracDev/Proposals/EmailValidation

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as new The owner will remain eblot.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from eblot to anonymous. Next status will be 'assigned'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.