Roundup Tracker - Issues

Issue 2551089

classification
Title: pgp encrypt=yes, but password reset email is sent unencrypted
Type: security Severity: normal
Components: Mail interface Versions: 1.5
process
Status: new Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: ThomasAH, ber, rouilj
Priority: normal Keywords:

Created on 2020-08-31 09:09 by ThomasAH, last changed 2020-08-31 13:21 by ber.

Messages
msg6950 Author: [hidden] (ThomasAH) Date: 2020-08-31 09:09
Tested with Roundup version 1.5.1 with config.ini settings:

[pgp]
enable = yes
encrypt = yes
require_incoming = encrypted


When requesting a password reset via the web interface, the
reset email is sent unencrypted.

So far I haven't tested with newer Roundup versions.
msg6951 Author: [hidden] (rouilj) Date: 2020-08-31 13:15
Hi Thomas:

In message <1598864970.91.0.430551620876.issue2551089@roundup.psfhosted.org>,
Thomas Arendsen Hein writes:
>When requesting a password reset via the web interface, the
>reset email is sent unencrypted.

The reset email is sent using mailer.py:Mailer::standard_message. This
method doesn't send encrypted emails. The bounce_message method in the
same class does support pgp encryption and may provide an outline of
how to implement encryption. Maybe changing the signature to include
crypt=False and implementing pgp encryption would work?

I assume your concern is that the reset email url is available in
plain text and could be used by a bad actor?

>So far I haven't tested with newer Roundup versions.

I did the analysis using 2.0.0 so password reset emails are still
unencrypted.
msg6952 Author: [hidden] (ber) Date: 2020-08-31 13:21
> I assume your concern is that the reset email url is available in
> plain text and could be used by a bad actor?

Yes, and the next mail has the password and is unencrypted.
History
Date User Action Args
2020-08-31 13:21:04bersetmessages: + msg6952
2020-08-31 13:15:43rouiljsetnosy: + rouilj
messages: + msg6951
2020-08-31 09:09:30ThomasAHcreate