Bug 3136 - When changing email, catdap should check that the new email address is valid
Summary: When changing email, catdap should check that the new email address is valid
Status: NEW
Alias: None
Product: Websites
Classification: Unclassified
Component: identity.mageia.org (show other bugs)
Version: trunk
Hardware: All Linux
Priority: High normal
Target Milestone: ---
Assignee: Sysadmin Team
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 859
  Show dependency treegraph
 
Reported: 2011-10-22 15:34 CEST by boklm test
Modified: 2020-09-19 18:08 CEST (History)
6 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description boklm test 2011-10-22 15:34:16 CEST
When registering a new account, an email is sent to the email address for verification before the account is activated.

However there is no check done when the email adress is changed from catdap. I think catdap should send an email to the address before applying the change.

We should also prevent users from changing their email address directly connecting to the ldap server without using catdap (unless it's possible to enforce the same check).
Nicolas Vigier 2011-10-22 15:38:42 CEST

CC: (none) => boklm
Blocks: (none) => 859

Nicolas Vigier 2011-10-22 15:39:31 CEST

CC: (none) => sysadmin-bugs

Comment 1 Marja Van Waes 2012-01-25 08:06:13 CET
Pinging. because nothing happened to this report since more than 3 months ago, and it still has the status NEW or REOPENED.

@ Buchan,

Please set status to ASSIGNED. If for work flow reasons you can't do that, then please put OK on the whiteboard instead. Don't change anything if you want to be pinged by me here again :)

CC: (none) => marja11

Comment 2 Buchan Milne 2012-01-25 09:59:10 CET
Can you explain in more detail the motivation for requiring email validation of email change (but not e.g. password change)? Or, should we instead send email notification of any change (which might achieve the same, or better, goal)?

For preventing changes via LDAP, this is difficult to prevent, as the approach we have taken is to have CatDap use the LDAP credentials of the user (so CatDap does not have any privileges itself besides being able to search for users and authenticate them). Requiring us to not allow the user to change their email address would mean we have to change this whole model, to the point where CatDap would have higher privileges, which would be easier to abuse (e.g. be able to compromise all accounts, rather than being able to compromise only one).

CC: (none) => bgmilne

Nicolas Vigier 2014-03-24 10:52:36 CET

CC: boklm => (none)

Comment 3 bug zilla 2016-01-21 12:28:30 CET
still valid, I can pretend to be root@mageia.org

CC: (none) => root

Comment 4 Rémi Verschelde 2016-01-21 14:27:31 CET
Confirmed too, I just set steve@jobs.pomme as email address, and it's shown in bugzilla just fine.
Nicolas Lécureuil 2016-01-21 14:50:25 CET

Priority: Normal => release_blocker
CC: (none) => mageia

Comment 5 Colin Guthrie 2016-01-21 15:12:13 CET
I don't think anyone is around who really deals with catdap these days? I know when converting to git the branches for live site and master were really horribly out of sync too.

Would there be any possibility to investigate the use of the PHP-based identity system used by KDE? All the frontend stuff of that is much nicer... and lets us do the necessary stuff we'd need (basically adding SSH keys and group management stuff.

Just a passing thought - no idea about the code behind it.

CC: (none) => mageia

Comment 6 Nicolas Lécureuil 2016-01-21 15:13:48 CET
i would vote for too.
Comment 7 Nicolas Lécureuil 2016-01-21 15:16:12 CET
i think it is : https://quickgit.kde.org/?p=websites%2Fidentity-kde-org.git
Marja Van Waes 2016-01-21 15:26:51 CET

CC: root => (none)

Comment 8 Buchan Milne 2016-01-22 08:17:29 CET
"Would there be any possibility to investigate the use of the PHP-based identity system used by KDE?"

PHP's LDAP support is very broken, and has been broken for 10 years (no real support for controls such as password policies etc.).

Before people take stupid unilateral decisions, how about we discuss whether there is actually anything really substantially missing.
Comment 9 Colin Guthrie 2016-01-22 10:12:12 CET
There are numerous things wrong with catdap and in the last few years I've had to fight with ldap command line on numerous occasions.

Many of the links don't work and the UX in it is horrible to the extent of unusable (we frequently have to support users in using it).

PHP's LDAP support might not be perfect, but it's certainly more than functional enough for our needs here.

The amount of work needed to give catdap a good UX is quite high. I am also sure that there are very few people who are active just now that understand it and a lot more people that would be able to understand and help out with a PHP based system.

While I'm not against improving catdap, I don't really see people lining up offering to do the work.

One man's "stupid" decision, is another man's pragmatic one...
Rémi Verschelde 2016-09-09 15:15:06 CEST

Priority: release_blocker => High
Assignee: bgmilne => sysadmin-bugs

Comment 10 Frédéric "LpSolit" Buclin 2017-04-22 20:33:42 CEST
(In reply to Nicolas Lécureuil from comment #7)
> i think it is : https://quickgit.kde.org/?p=websites%2Fidentity-kde-org.git

New URL is https://cgit.kde.org/websites/identity-kde-org.git


Being able to choose an email address which doesn't belong to you can be a security issue. One example is that Bugzilla can be configured to give some privileges to users based on their email address (typically the domain name part of the email address), and so if an attacker chooses an email address matching the regular expression set in Bugzilla, he could get higher privileges. See e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1202447 for a recent similar issue. The good news is that Mageia Bugzilla is not configured to give privileges based on the email address. But I don't know about other Mageia services. So it would still be good to address this issue in CatDap. This doesn't look to hard to do.

CC: (none) => LpSolit

Comment 11 Aurelien Oudelet 2020-09-19 18:08:47 CEST
Hi,
This is High priority bug for a good reason.

Making Mageia even better than ever is best direction.
In order to do right thing, this bug should be examined and fixed as soon as possible.

Packagers, please make the status to Assigned when you are working on this.
Feel free to reassign the bug if bad-triaged. Also, if bug is old, please close it.

On October 1st 2020, we will drop priority to normal.

Note You need to log in before you can comment on or make changes to this bug.