Issue 2551089
Created on 2020-08-31 09:09 by ThomasAH, last changed 2020-08-31 13:21 by ber.
|
| msg6950 |
Author: [hidden] (ThomasAH) |
Date: 2020-08-31 09:09 |
|
Tested with Roundup version 1.5.1 with config.ini settings:
[pgp]
enable = yes
encrypt = yes
require_incoming = encrypted
When requesting a password reset via the web interface, the
reset email is sent unencrypted.
So far I haven't tested with newer Roundup versions.
|
| msg6951 |
Author: [hidden] (rouilj) |
Date: 2020-08-31 13:15 |
|
Hi Thomas:
In message <1598864970.91.0.430551620876.issue2551089@roundup.psfhosted.org>,
Thomas Arendsen Hein writes:
>When requesting a password reset via the web interface, the
>reset email is sent unencrypted.
The reset email is sent using mailer.py:Mailer::standard_message. This
method doesn't send encrypted emails. The bounce_message method in the
same class does support pgp encryption and may provide an outline of
how to implement encryption. Maybe changing the signature to include
crypt=False and implementing pgp encryption would work?
I assume your concern is that the reset email url is available in
plain text and could be used by a bad actor?
>So far I haven't tested with newer Roundup versions.
I did the analysis using 2.0.0 so password reset emails are still
unencrypted.
|
| msg6952 |
Author: [hidden] (ber) |
Date: 2020-08-31 13:21 |
|
> I assume your concern is that the reset email url is available in
> plain text and could be used by a bad actor?
Yes, and the next mail has the password and is unencrypted.
|
|
| Date |
User |
Action |
Args |
| 2020-08-31 13:21:04 | ber | set | messages:
+ msg6952 |
| 2020-08-31 13:15:43 | rouilj | set | nosy:
+ rouilj
messages:
+ msg6951 |
| 2020-08-31 09:09:30 | ThomasAH | create | |
|