Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Privacy] Gitea leaks hidden email addresses #4417

Closed
1 of 7 tasks
ghost opened this issue Jul 10, 2018 · 4 comments · Fixed by #4664
Closed
1 of 7 tasks

[Privacy] Gitea leaks hidden email addresses #4417

ghost opened this issue Jul 10, 2018 · 4 comments · Fixed by #4664
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Milestone
1.5.1

Comments

@ghost
Copy link

ghost commented Jul 10, 2018
edited by ghost

  • Gitea version (or commit ref): 3e445cc
  • Git version: not relevant
  • Operating system: not relevant
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

Screenshots
@lafriks lafriks added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Jul 12, 2018
@msg7086
Copy link

msg7086 commented Aug 8, 2018

Just hit this bug due to the CSRF issue. Got a long list of Email addresses for every victim of that issue.

(Automatically followed OP, then got notifications of all events, leaking the Email addresses.)

email-leaking

@techknowlogick
Copy link
Member

For anyone looking to solve this issue, the line you can change is here:

gitea/models/issue_mail.go

Line 102 in 95f2e2b

SendIssueMentionMail(issue, doer, content, comment, getUserEmailsByNames(e, tos))
it passes all emails into the function, but what could be done is to loop over emails and then individually pass them into the SendIssueMentionMail function (the last argument in that function is where the emails get passed in)

@techknowlogick techknowlogick mentioned this issue Aug 10, 2018
Merged
@ghost ghost mentioned this issue Aug 14, 2018
Open
@lunny lunny added this to the 1.5.1 milestone Aug 24, 2018
@HenrikBengtsson
Copy link
Contributor

Not a complaint, just asking for clarification: This fix means that email notifications for issues will be sent out to each watcher independently starting with Gitea 1.5.1, correct? This means that users will no longer be able to do 'Reply All' to continue an email-only thread on the topic, correct?

@lafriks
Copy link
Member

lafriks commented Aug 30, 2018

@HenrikBengtsson yes

@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.5.1
Development

Successfully merging a pull request may close this issue.

Don't disclose emails of all users when sending out emails
5 participants
@lunny @techknowlogick @lafriks @msg7086 @HenrikBengtsson