Opened 17 years ago
Last modified 9 years ago
#4286 new defect
Accepts email addresses without validation
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | next-major-releases |
| Component: | notification | Version: | 0.10.2 |
| Severity: | normal | Keywords: | notification |
| Cc: | jgoerzen@…, Thijs Triemstra | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
trac accepts email addresses without validation several different places — on the New Ticket screen, on the settings screen, etc.
This is bad for several reasons. For starters, it could be abused by spammers. They could put the email address of a victim in the "Your email" box on the New Ticket screen, and submit a ticket to any Trac instance configured to send notifications of new tickets to the submitter.
It could also be used by a miscreant to subscribe an unwitting victim to notifications, as an annoyance.
trac should never send any emails that aren't verified opt-in emails.
Attachments (0)
Change History (14)
comment:1 by , 17 years ago
| Keywords: | notification added |
|---|
comment:2 by , 17 years ago
Yes, it really does happen in the wild, and in fact, has been:
http://www.salted.com/unsalted/contact-form-spam
Please set the type to whatever you like; you know better how your process fits this than I do.
thanks,
— John
comment:3 by , 17 years ago
| Component: | general → notification |
|---|---|
| Milestone: | → 1.0 |
| Owner: | changed from to |
follow-up: 6 comment:4 by , 16 years ago
Perhaps until this is implemented have a bad_email_addresses setting for [notification] allowing the admin to have a space delimited list of know bad email addresses which would serve to filter the addresses to be notified of changes?
comment:6 by , 14 years ago
| Cc: | added |
|---|
Replying to Pedro Algarvio, aka, s0undt3ch <ufs@…>:
Perhaps until this is implemented have a
bad_email_addressessetting for[notification]allowing the admin to have a space delimited list of know bad email addresses which would serve to filter the addresses to be notified of changes?
This sounds like a lot more work than a simple regexp that checks for a valid address (which is probably already available in stdlib somewhere?).
Any reason why this hasn't been implemented other than time etc? What would a good patch have to do..
comment:9 by , 13 years ago
An initial prototype of the e-mail address validation facility, for now a direct part of the notification subsystem, is available for review and comment.
See TracDev/Proposals/EmailValidation#CurrentDevelopmentStatus for some information on its state and also TracDev/Proposals/EmailValidation#Repository for information on how to access the repository.
Feel free to comment on the prototype by either putting the information here or in the TracDev/Proposals/EmailValidation#Discussion section of that page.
follow-up: 12 comment:10 by , 13 years ago
I'd like to take a look at it. It may take a bit of time, though, as I will have to learn git first :)
comment:11 by , 13 years ago
| Milestone: | unscheduled → next-major-0.1X |
|---|
comment:12 by , 13 years ago
Replying to rblank:
I'd like to take a look at it. It may take a bit of time, though, as I will have to learn git first :)
see EmailValidation#UsingtheRepository for a quick guide on how to use it…
comment:14 by , 9 years ago
| Owner: | removed |
|---|
Sure. On the other side, do spammers really need a proxy such as Trac to relay their spam emails?
I'd rather see this feature as an enhancement than a defect.