Edgewall Software
Modify

Opened 18 years ago

Last modified 10 years ago

#4286 new defect

Accepts email addresses without validation

Reported by: John Goerzen <jgoerzen@…> Owned by:
Priority: normal Milestone: next-major-releases
Component: notification Version: 0.10.2
Severity: normal Keywords: notification
Cc: jgoerzen@…, Thijs Triemstra Branch:
Release Notes:
API Changes:
Internal Changes:

Description

trac accepts email addresses without validation several different places — on the New Ticket screen, on the settings screen, etc.

This is bad for several reasons. For starters, it could be abused by spammers. They could put the email address of a victim in the "Your email" box on the New Ticket screen, and submit a ticket to any Trac instance configured to send notifications of new tickets to the submitter.

It could also be used by a miscreant to subscribe an unwitting victim to notifications, as an annoyance.

trac should never send any emails that aren't verified opt-in emails.

Attachments (0)

Change History (14)

comment:1 by Emmanuel Blot, 18 years ago

Keywords: notification added

Sure. On the other side, do spammers really need a proxy such as Trac to relay their spam emails?

I'd rather see this feature as an enhancement than a defect.

comment:2 by John Goerzen <jgoerzen@…>, 18 years ago

Yes, it really does happen in the wild, and in fact, has been:

http://www.salted.com/unsalted/contact-form-spam

http://www.google.com/search?q=email+form+spam&ie=utf-8&oe=utf-8&rls=org.debian:en-US:unofficial&client=firefox-a

Please set the type to whatever you like; you know better how your process fits this than I do.

thanks,

— John

comment:3 by Christian Boos, 18 years ago

Component: generalnotification
Milestone: 1.0
Owner: changed from Jonas Borgström to Emmanuel Blot

comment:4 by Pedro Algarvio, aka, s0undt3ch <ufs@…>, 17 years ago

Perhaps until this is implemented have a bad_email_addresses setting for [notification] allowing the admin to have a space delimited list of know bad email addresses which would serve to filter the addresses to be notified of changes?

comment:5 by Christian Boos, 15 years ago

Milestone: 1.0unscheduled

Milestone 1.0 deleted

in reply to:  4 comment:6 by Thijs Triemstra <lists@…>, 14 years ago

Cc: lists@… added

Replying to Pedro Algarvio, aka, s0undt3ch <ufs@…>:

Perhaps until this is implemented have a bad_email_addresses setting for [notification] allowing the admin to have a space delimited list of know bad email addresses which would serve to filter the addresses to be notified of changes?

This sounds like a lot more work than a simple regexp that checks for a valid address (which is probably already available in stdlib somewhere?).

Any reason why this hasn't been implemented other than time etc? What would a good patch have to do..

comment:7 by Thijs Triemstra, 14 years ago

Cc: Thijs Triemstra added; lists@… removed

#9900 was closed as a duplicate.

comment:8 by Carsten Klein <carsten.klein@…>, 14 years ago

comment:9 by Carsten Klein <carsten.klein@…>, 14 years ago

An initial prototype of the e-mail address validation facility, for now a direct part of the notification subsystem, is available for review and comment.

See TracDev/Proposals/EmailValidation#CurrentDevelopmentStatus for some information on its state and also TracDev/Proposals/EmailValidation#Repository for information on how to access the repository.

Feel free to comment on the prototype by either putting the information here or in the TracDev/Proposals/EmailValidation#Discussion section of that page.

comment:10 by Remy Blank, 14 years ago

I'd like to take a look at it. It may take a bit of time, though, as I will have to learn git first :)

comment:11 by Thijs Triemstra, 14 years ago

Milestone: unschedulednext-major-0.1X

in reply to:  10 comment:12 by Carsten Klein <carsten.klein@…>, 14 years ago

Replying to rblank:

I'd like to take a look at it. It may take a bit of time, though, as I will have to learn git first :)

see EmailValidation#UsingtheRepository for a quick guide on how to use it…

comment:13 by Carsten Klein <carsten.klein@…>, 14 years ago

here is the correct link: TracDev/Proposals/EmailValidation

comment:14 by Ryan J Ollos, 10 years ago

Owner: Emmanuel Blot removed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.