Block can exposes user's email to other users
amanuel - December 23, 2008 - 15:27
| Project: | Spread |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Description
if block caching is on, some users are able to see other users email addresses. While I personally didn't see this happen, during traffic spikes we did get enough emails to turn the module off until we did something about it.
My recommendation is to not have the from field.
thoughts?
#1
Hi,
Really sorry for the long waiting response. If we remove the From field, we no longer let anonymous users spread?
Is that really what we want?
Jérémy
#2
I need more info on this!
#3
I also experienced this during traffic spikes as drupal tries to cache the blocks.
We should perhaps not have the from email showing when the user is logged in instead just displaying their username/display name.
This may have ramifications to the cached block still...but at least it will not expose emails. We would have to investigate the block caching process to see how we can make sure that right block is cached for the right user.
#4
lol I reported this issue....it really has been that long.
#5
Hi amanuel,
Do you have more info on this?
Can you try the small patch attached which set Spread block to not cache?
Hope this helps.
Jérémy
#6
Jérémy,
That's a great idea to fix the issue. I've implemented it and seems to be ok now
privatemsg has had some block issue as well and used the same solution to fix it. see http://drupal.org/node/370937
I'd commit this patch and close this issue.
I will come back here to let you know if the problem recurrs....I suspect it won't.
Thanks again.
#7
Commited patch thanks for the report.
Jérémy
#8
Automatically closed -- issue fixed for 2 weeks with no activity.