Hi,
On Mon, Feb 23, 2009 at 12:53 PM, Sergiu Dumitriu <[email protected]> wrote:
> Guillaume Lerouge wrote:
> > Hi Henning,
> >
> > I think your remark is spot on. I'll check with Sergiu whether this
> should
> > be removed (it's quite an easy modification to do).
> >
> > Actually, right now you can change it by editing the page and
> > replacing "<tt>${userEmail}</tt>" with "your email address":
> >
> > 67: #if($mailResult == 0)
> > 68: #info("An e-mail was sent to <tt>${userEmail}</tt>. Please follow the
> > instructions in that e-mail to complete the password reset procedure.")
> > 69: #else
> >
>
> I'm not sure what's the best thing to do. Indeed, this reveals user
> emails, but these are already available in the user profiles. On the
> other hand, many people change email addresses quite often (or have
> several addresses that they use), so if the user forgot the
> password/username, it is likely that he forgot which email address was
> used there, too, so this points to the right place to look for the email.
>
> What we can do is to display the email address somehow obfuscated,
> either css+xml tricks or using a trimmed address, like Google Groups does.
>
> WDYT?
Indeed, showing the first 5 chars + domain name could be ok, like :
[email protected] => [email protected]
Or even limiting to the domain name, like: "your password has been sent to
your @xwiki.com email account".
WDYT?
Guillaume
>
>
> > Thanks for the hint,
> >
> > Guillaume
> > On Mon, Feb 23, 2009 at 12:20 PM, Henning Sprang
> > <[email protected]>wrote:
> >
> >> On Mon, Feb 23, 2009 at 2:08 AM, Niels Mayer <[email protected]>
> wrote:
> >>> In XWiki 1.8RC1, this "security issue" doesn't seem to be the case by
> >>> default.
> >> I'll check that.
> >>
> >> I realized I wrote a mistake in the first sentence. I didn't see the
> >> problem of code being shown or something like that, but when I call
> >> the resetPassword function,
> >> the system show the _Email_ address of the username for whom I call
> >> the resetpassword.
> >>
> >> And because anybody can call this function for any user, as well as,
> >> in the default setting, and for password reset and other things to
> >> work properly, the pages that show all usernames are viewable by
> >> unregistered users, people can harvest email addresses from all users
> >> on the wiki.
> >>
> >> But yes, The code viewing and execution stuff is interesting for other
> >> threads I started these days and for the general idea that I usuall
> >> don't like to make the whole XWiki space viewable by unregistered
> >> users.
>
>
> --
> Sergiu Dumitriu
> http://purl.org/net/sergiu/
> _______________________________________________
> devs mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/devs
>
--
Guillaume Lerouge
Product Manager - XWiki
Skype ID : wikibc
http://guillaumelerouge.com/
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
