• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

The default e-mail templates (such as registerconfirm.tmpl) that come with Dakar specify the To: address as "%FIRSTLASTNAME% <%EMAILADDRESS%>". When using Net::SMTP (at least), this To: field is parsed by splitting on commas and spaces. (see Net.pm, around line 265 in the official 4.0 distribution). Thus, if the line reads "To: Kevin Ring <kring@example.com>" TWiki will attempt to send emails to "Kevin", "Ring", and "<kring@example.com>". With most e-mail setups, this isn't noticeable because the last will go where it is intended and the first two are invalid and will go nowhere. But with some setups (an Exchange server on a LAN, in my case), "kevin" or "ring" might be a perfectly valid address. And it might not be the same person as "kring@example.com". If the registration email includes a password, it is not hard to imagine a situation where this is a security problem.

I was able to fix this by changing the split call to split only on commas, not whitespace.

-- Kevin Ring

Although you have told us where to look, if you provide a patch I'll fold it in this evening.

-- MC

Thanks for reporting this, Kevin.

SVN 8691.

-- SP

Yes, thanks Kevin. Thanks Steffen, for fixing this.

-- MC

Closed with release of 4.0.2


Summary Registration process tries to send extra emails
ReportedBy TWiki:Main.KevinRing

SVN Range Sun, 29 Jan 2006 build 8586
AppliesTo Engine

Priority Urgent
CurrentState Closed

Checkins 8691 8692 8722 8723
TargetRelease patch
Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r9 - 2006-04-01 - KennethLavrsen
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback