Edgewall Software
Modify

Opened 12 years ago

Closed 11 years ago

Last modified 5 years ago

#6532 closed defect (fixed)

email addresses leaked to users on ticket's CC list

Reported by: weltepe@… Owned by: osimons
Priority: high Milestone: 0.11.2
Component: ticket system Version: 0.11b1
Severity: normal Keywords: notification obfuscation
Cc: Branch:
Release Notes:
API Changes:

Description

This is related to #153 ("if you discover any leak of e-mails information remaining for unauthorized users, please create a new ticket").

Anyone who is on a ticket's CC list will be notified by email of ticket changes which include changes to the CC list. Although email addresses on Trac webpages show up as username@…, they are sent unobfusicated to everyone on the CC list.

What I expected to happen is for the notification email to say something like:

Changes (by username):

  • cc: username@… (added)

but instead it says:

  • cc: username@domain (added)

I'm marking this as a 0.11 milestone since it seems it should go along with the privacy fixes in #153.

Attachments (1)

t6532-obfuscate_ticket_notification_r7599.diff (2.3 KB ) - added by osimons 11 years ago.
Always obfuscates author, reporter, owner and cc in ticket notification emails.

Download all attachments as: .zip

Change History (17)

comment:1 by anonymous, 12 years ago

Resolution: worksforme
Status: newclosed

Use the use_public_cc option to prevent this.

in reply to:  1 ; comment:2 by osimons, 12 years ago

Resolution: worksforme
Status: closedreopened

Replying to anonymous:

Use the use_public_cc option to prevent this.

Reading the ticket description and doing some testing, I see that this is a problem in ticket body and not in the distribution list. Reopening.

Both additions and removals will arrive with full email in notifications.

Additionally, if owner and reporter are emails, they are obfuscated when viewing the ticket, but they will be displayed in full:

  • in summary table on notification emails
  • when changing from one reporter to another, the change persists on the comment in full
  • the same owner or reporter change appear also with full emails on the notification email.

With the ability through preferences to set another name + hidden email, for owner and reporter this might not be the biggest of issues. However, if nothing else the behavior ought to be consistent.

comment:3 by anonymous, 12 years ago

Component: generalticket system
Keywords: email privacy spam removed

comment:4 by Emmanuel Blot, 12 years ago

anonymous was me.

comment:5 by Christian Boos, 12 years ago

Keywords: obfuscation added

Thanks for the report.

Yes, this is one place that was overlooked (btw manu, I didn't do much (ok - any) testing of the e-mail notifications besides running the unit-tests. I hope everything still works as expected there).

comment:6 by Christian Boos, 12 years ago

Milestone: 0.110.11.1

Not that critical, as you first need to subscribe to tickets in order to see the e-mails. Moving to 0.11.x.

comment:7 by anonymous, 11 years ago

Is it possible to include the CC list in all notification emails?

in reply to:  7 comment:8 by osimons, 11 years ago

Replying to anonymous:

Is it possible to include the CC list in all notification emails?

Not as a feature of Trac, but you are free to customise the e-mail notification template to contain what you like.

comment:9 by osimons, 11 years ago

Hmm. Tricky this one. The user that makes the ticket change that triggers the e-mail may not have permission to see e-mail addresses. But others on the mailing list may be allowed to see them, and should they be able to see them in the e-mail they receive? And the other way around; if we use the current e-mail obfuscation code, someone with EMAIL_VIEW permissions making a change on the ticket will lead to all users receiving the rendered notification without obfuscation.

I suppose the only real option is to permanently obfuscate all e-mails in notifications regardless of permission?

comment:10 by osimons, 11 years ago

Owner: changed from Jonas Borgström to osimons
Status: reopenednew

I'll put this on my to-do. The problem is quite similar to #7431.

comment:11 by osimons, 11 years ago

Milestone: 0.11.30.11.2

Patch that obfuscates all cc add/remove in notification body:

  • trac/ticket/notification.py

    a b  
    2222from trac.notification import NotifyEmail
    2323from trac.util import md5
    2424from trac.util.datefmt import to_timestamp
    25 from trac.util.text import CRLF, wrap, to_unicode
     25from trac.util.text import CRLF, wrap, to_unicode, obfuscate_email_address
    2626
    2727from genshi.template.text import TextTemplate
    2828
     
    196196    def diff_cc(self, old, new):
    197197        oldcc = NotifyEmail.addrsep_re.split(old)
    198198        newcc = NotifyEmail.addrsep_re.split(new)
    199         added = [x for x in newcc if x and x not in oldcc]
    200         removed = [x for x in oldcc if x and x not in newcc]
     199        added = [obfuscate_email_address(x) \
     200                                for x in newcc if x and x not in oldcc]
     201        removed = [obfuscate_email_address(x) \
     202                                for x in oldcc if x and x not in newcc]
    201203        return (added, removed)
    202204
    203205    def format_hdr(self):

comment:12 by Remy Blank, 11 years ago

Patch tested here, works well.

in reply to:  9 comment:13 by Christian Boos, 11 years ago

Replying to osimons:

I suppose the only real option is to permanently obfuscate all e-mails in notifications regardless of permission?

No, we should make 2 lists, the people who can see the e-mail without obfuscation and those who can't (the public lists like always_cc probably being in the latter camp), and then generate two series of e-mails.

We anyway need to be able to generate different styles of e-mails for different people, think i18n and/or preferred mail format (plain, wiki text, HTML, see #2625).

in reply to:  2 comment:14 by osimons, 11 years ago

Replying to osimons:

Additionally, if owner and reporter are emails, they are obfuscated when viewing the ticket, but they will be displayed in full:

  • in summary table on notification emails
  • the same owner or reporter change appear also with full emails on the notification email.

Seems I have forgotten some of my earlier research into this issue. With the 'better safe than sorry' approach to obfuscation, the notification email should really obfuscate owner, reporter and additionally the change author that we also include in the email.

by osimons, 11 years ago

Always obfuscates author, reporter, owner and cc in ticket notification emails.

comment:15 by osimons, 11 years ago

New patch for 0.11 above, with partial output from test email looking like this:

#88: Testing obfuscated ticket notification 2
----------------------------------+-----------------------------------------
Reporter:  bar@…                 |       Owner:  bar@…             
    Type:  defect                |      Status:  assigned            
    .....
----------------------------------+-----------------------------------------
Changes (by bar@…):

* cc: foo@… (removed)
* cc: bar@… (added)
 * owner:  foo@… => bar@…
 * reporter:  foo@… => bar@…

comment:16 by osimons, 11 years ago

Resolution: fixed
Status: newclosed

Patch committed in [7646] for 0.11-stable and merged to trunk in [7647].

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain osimons.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.