email addresses leaked to users on ticket's CC list

[weltepe@…]

This is related to #153 ("if you discover any leak of e-mails information remaining for unauthorized users, please create a new ticket").

Anyone who is on a ticket's CC list will be notified by email of ticket changes which include changes to the CC list. Although email addresses on Trac webpages show up as username@..., they are sent unobfusicated to everyone on the CC list.

What I expected to happen is for the notification email to say something like:

Changes (by username):

• cc: username@... (added)

but instead it says:

• cc: username@domain (added)

I'm marking this as a 0.11 milestone since it seems it should go along with the privacy fixes in #153.

[anonymous]

Use the use_public_cc option to prevent this.

[osimons]

Replying to anonymous:

Use the use_public_cc option to prevent this.

Reading the ticket description and doing some testing, I see that this is a problem in ticket body and not in the distribution list. Reopening.

Both additions and removals will arrive with full email in notifications.

Additionally, if owner and reporter are emails, they are obfuscated when viewing the ticket, but they will be displayed in full:

• in summary table on notification emails
• when changing from one reporter to another, the change persists on the comment in full
• the same owner or reporter change appear also with full emails on the notification email.

With the ability through preferences to set another name + hidden email, for owner and reporter this might not be the biggest of issues. However, if nothing else the behavior ought to be consistent.

[eblot]

anonymous was me.

[cboos]

Thanks for the report.

Yes, this is one place that was overlooked (btw manu, I didn't do much (ok - any) testing of the e-mail notifications besides running the unit-tests. I hope everything still works as expected there).

[cboos]

Not that critical, as you first need to subscribe to tickets in order to see the e-mails. Moving to 0.11.x.

[anonymous]

Is it possible to include the CC list in all notification emails?

[osimons]

Replying to anonymous:

Is it possible to include the CC list in all notification emails?

Not as a feature of Trac, but you are free to customise the e-mail notification template to contain what you like.

[osimons]

Hmm. Tricky this one. The user that makes the ticket change that triggers the e-mail may not have permission to see e-mail addresses. But others on the mailing list may be allowed to see them, and should they be able to see them in the e-mail they receive? And the other way around; if we use the current e-mail obfuscation code, someone with EMAIL_VIEW permissions making a change on the ticket will lead to all users receiving the rendered notification without obfuscation.

I suppose the only real option is to permanently obfuscate all e-mails in notifications regardless of permission?

[osimons]

I'll put this on my to-do. The problem is quite similar to #7431.

[osimons]

Patch that obfuscates all cc add/remove in notification body:

trac/ticket/notification.py

@@ -22 +22 @@
 from trac.notification import NotifyEmail
 from trac.util import md5
 from trac.util.datefmt import to_timestamp
-from trac.util.text import CRLF, wrap, to_unicode
+from trac.util.text import CRLF, wrap, to_unicode, obfuscate_email_address
 
 from genshi.template.text import TextTemplate
 
@@ -196 +196 @@
     def diff_cc(self, old, new):
         oldcc = NotifyEmail.addrsep_re.split(old)
         newcc = NotifyEmail.addrsep_re.split(new)
-        added = [x for x in newcc if x and x not in oldcc]
-        removed = [x for x in oldcc if x and x not in newcc]
+        added = [obfuscate_email_address(x) \
+                                for x in newcc if x and x not in oldcc]
+        removed = [obfuscate_email_address(x) \
+                                for x in oldcc if x and x not in newcc]
         return (added, removed)
 
     def format_hdr(self):

[rblank]

Patch tested here, works well.

[cboos]

Replying to osimons:

I suppose the only real option is to permanently obfuscate all e-mails in notifications regardless of permission?

No, we should make 2 lists, the people who can see the e-mail without obfuscation and those who can't (the public lists like always_cc probably being in the latter camp), and then generate two series of e-mails.

We anyway need to be able to generate different styles of e-mails for different people, think i18n and/or preferred mail format (plain, wiki text, HTML, see #2625).

[osimons]

Replying to osimons:

Additionally, if owner and reporter are emails, they are obfuscated when viewing the ticket, but they will be displayed in full: * in summary table on notification emails * the same owner or reporter change appear also with full emails on the notification email.

Seems I have forgotten some of my earlier research into this issue. With the 'better safe than sorry' approach to obfuscation, the notification email should really obfuscate owner, reporter and additionally the change author that we also include in the email.

[osimons]

Always obfuscates author, reporter, owner and cc in ticket notification emails.

[osimons]

New patch for 0.11 above, with partial output from test email looking like this:

#88: Testing obfuscated ticket notification 2
----------------------------------+-----------------------------------------
Reporter:  bar@…                 |       Owner:  bar@…             
    Type:  defect                |      Status:  assigned            
    .....
----------------------------------+-----------------------------------------
Changes (by bar@…):

* cc: foo@… (removed)
* cc: bar@… (added)
 * owner:  foo@… => bar@…
 * reporter:  foo@… => bar@…

[osimons]

Patch committed in [7646] for 0.11-stable and merged to trunk in [7647].