Edgewall Software
Modify

Opened 10 years ago

Last modified 15 months ago

#4286 new defect

Accepts email addresses without validation

Reported by: John Goerzen <jgoerzen@…> Owned by:
Priority: normal Milestone: next-major-releases
Component: notification Version: 0.10.2
Severity: normal Keywords: notification
Cc: jgoerzen@…, Thijs Triemstra
Release Notes:
API Changes:

Description

trac accepts email addresses without validation several different places — on the New Ticket screen, on the settings screen, etc.

This is bad for several reasons. For starters, it could be abused by spammers. They could put the email address of a victim in the "Your email" box on the New Ticket screen, and submit a ticket to any Trac instance configured to send notifications of new tickets to the submitter.

It could also be used by a miscreant to subscribe an unwitting victim to notifications, as an annoyance.

trac should never send any emails that aren't verified opt-in emails.

Attachments (0)

Change History (14)

comment:1 Changed 10 years ago by Emmanuel Blot

Keywords: notification added

Sure. On the other side, do spammers really need a proxy such as Trac to relay their spam emails?

I'd rather see this feature as an enhancement than a defect.

comment:2 Changed 10 years ago by John Goerzen <jgoerzen@…>

Yes, it really does happen in the wild, and in fact, has been:

http://www.salted.com/unsalted/contact-form-spam

http://www.google.com/search?q=email+form+spam&ie=utf-8&oe=utf-8&rls=org.debian:en-US:unofficial&client=firefox-a

Please set the type to whatever you like; you know better how your process fits this than I do.

thanks,

— John

comment:3 Changed 9 years ago by Christian Boos

Component: generalnotification
Milestone: 1.0
Owner: changed from Jonas Borgström to Emmanuel Blot

comment:4 Changed 8 years ago by Pedro Algarvio, aka, s0undt3ch <ufs@…>

Perhaps until this is implemented have a bad_email_addresses setting for [notification] allowing the admin to have a space delimited list of know bad email addresses which would serve to filter the addresses to be notified of changes?

comment:5 Changed 6 years ago by Christian Boos

Milestone: 1.0unscheduled

Milestone 1.0 deleted

comment:6 in reply to:  4 Changed 6 years ago by Thijs Triemstra <lists@…>

Cc: lists@… added

Replying to Pedro Algarvio, aka, s0undt3ch <ufs@…>:

Perhaps until this is implemented have a bad_email_addresses setting for [notification] allowing the admin to have a space delimited list of know bad email addresses which would serve to filter the addresses to be notified of changes?

This sounds like a lot more work than a simple regexp that checks for a valid address (which is probably already available in stdlib somewhere?).

Any reason why this hasn't been implemented other than time etc? What would a good patch have to do..

comment:7 Changed 6 years ago by Thijs Triemstra

Cc: Thijs Triemstra added; lists@… removed

#9900 was closed as a duplicate.

comment:8 Changed 6 years ago by Carsten Klein <carsten.klein@…>

comment:9 Changed 6 years ago by Carsten Klein <carsten.klein@…>

An initial prototype of the e-mail address validation facility, for now a direct part of the notification subsystem, is available for review and comment.

See TracDev/Proposals/EmailValidation#CurrentDevelopmentStatus for some information on its state and also TracDev/Proposals/EmailValidation#Repository for information on how to access the repository.

Feel free to comment on the prototype by either putting the information here or in the TracDev/Proposals/EmailValidation#Discussion section of that page.

comment:10 Changed 6 years ago by Remy Blank

I'd like to take a look at it. It may take a bit of time, though, as I will have to learn git first :)

comment:11 Changed 6 years ago by Thijs Triemstra

Milestone: unschedulednext-major-0.1X

comment:12 in reply to:  10 Changed 6 years ago by Carsten Klein <carsten.klein@…>

Replying to rblank:

I'd like to take a look at it. It may take a bit of time, though, as I will have to learn git first :)

see EmailValidation#UsingtheRepository? for a quick guide on how to use it…

comment:13 Changed 6 years ago by Carsten Klein <carsten.klein@…>

here is the correct link: TracDev/Proposals/EmailValidation

comment:14 Changed 15 months ago by Ryan J Ollos

Owner: Emmanuel Blot deleted

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned. Next status will be 'new'.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.