Created on 2020-08-31 09:09 by ThomasAH, last changed 2020-08-31 13:21 by ber.
||Author: [hidden] (ThomasAH)
||Date: 2020-08-31 09:09
Tested with Roundup version 1.5.1 with config.ini settings:
enable = yes
encrypt = yes
require_incoming = encrypted
When requesting a password reset via the web interface, the
reset email is sent unencrypted.
So far I haven't tested with newer Roundup versions.
||Author: [hidden] (rouilj)
||Date: 2020-08-31 13:15
In message <email@example.com>,
Thomas Arendsen Hein writes:
>When requesting a password reset via the web interface, the
>reset email is sent unencrypted.
The reset email is sent using mailer.py:Mailer::standard_message. This
method doesn't send encrypted emails. The bounce_message method in the
same class does support pgp encryption and may provide an outline of
how to implement encryption. Maybe changing the signature to include
crypt=False and implementing pgp encryption would work?
I assume your concern is that the reset email url is available in
plain text and could be used by a bad actor?
>So far I haven't tested with newer Roundup versions.
I did the analysis using 2.0.0 so password reset emails are still
||Author: [hidden] (ber)
||Date: 2020-08-31 13:21
> I assume your concern is that the reset email url is available in
> plain text and could be used by a bad actor?
Yes, and the next mail has the password and is unencrypted.