Roundup Tracker - Issues

Message6951

Author rouilj
Recipients ThomasAH, ber, rouilj
Date 2020-08-31.13:15:43
Message-id <20200831131539.0B0D24C0510@itserver6.cs.umb.edu>
In-reply-to <1598864970.91.0.430551620876.issue2551089@roundup.psfhosted.org> 
Hi Thomas:

In message <1598864970.91.0.430551620876.issue2551089@roundup.psfhosted.org>,
Thomas Arendsen Hein writes:
>When requesting a password reset via the web interface, the
>reset email is sent unencrypted.

The reset email is sent using mailer.py:Mailer::standard_message. This
method doesn't send encrypted emails. The bounce_message method in the
same class does support pgp encryption and may provide an outline of
how to implement encryption. Maybe changing the signature to include
crypt=False and implementing pgp encryption would work?

I assume your concern is that the reset email url is available in
plain text and could be used by a bad actor?

>So far I haven't tested with newer Roundup versions.

I did the analysis using 2.0.0 so password reset emails are still
unencrypted.
History
Date User Action Args
2020-08-31 13:15:44rouiljsetrecipients: + rouilj, ber, ThomasAH
2020-08-31 13:15:43rouiljlinkissue2551089 messages
2020-08-31 13:15:43rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020