Page MenuHomePhabricator

Contest extension silently screws with user e-mail address
Closed, ResolvedPublic

Description

I was playing around with the Contest extension and used "hhhh@f" as my e-mail address. The extension accepted this e-mail address (which ought to be the subject of another bug), but more disturbingly, the extension silently set my global e-mail address as "hhhh@f" and marked the e-mail address as being confirmed/authenticated. The Contest extension shouldn't touch user.user_email at all. And it most certainly shouldn't do so silently.


Version: unspecified
Severity: normal

Details

Reference
bz31965

Event Timeline

bzimport raised the priority of this task from to High.Nov 21 2014, 11:55 PM
bzimport set Reference to bz31965.

So far for the build in PHP mail validation function... wtf...

The email address field in the signup form should default to your set email address if you have any. Just had a look, and this appears to work as it should. You are right that changing the address should cause it to be in non-validated state, this is something I overlooked. However, the change of the user email field is deliberate, and was discussed before creating the extension. The idea here is that it makes little sense to have separate storage for the email address of a user, as it's really one piece of info, hence the usage of the user_email field in the user table. The field in the contest extension is there to keep a copy that cannot be changed after contest end.

(In reply to comment #1)

So far for the build in PHP mail validation function... wtf...

I imagine it's accounting for something like... user@localhost.

The email address field in the signup form should default to your set email
address if you have any. Just had a look, and this appears to work as it
should.

Yes, it does. But...

You are right that changing the address should cause it to be in
non-validated state, this is something I overlooked.

Much more importantly, if it's going to change user.user_email to a new value, it should first confirm this with the user. "Your e-mail address is currently set to foo@bar.com. You've indicated that your e-mail address is baz@bang.com. Would you like to update your Wikimedia account?" Or something.

However, the change of the user email field is deliberate, and was discussed
before creating the extension.

Changing the e-mail address is fine. _Silently_ changing it is not.

wtf yes this should definitely not be changing your user account settings without warning...

(In reply to comment #0)

I was playing around with the Contest extension and used "hhhh@f" as my e-mail
address. The extension accepted this e-mail address (which ought to be the
subject of another bug),

That is a perfectly valid address per the RFC from my understanding... This should not be changed.

(In reply to comment #5)

(In reply to comment #0)

I was playing around with the Contest extension and used "hhhh@f" as my e-mail
address. The extension accepted this e-mail address (which ought to be the
subject of another bug),

That is a perfectly valid address per the RFC from my understanding... This
should not be changed.

Cept unless the MediaWiki install has a local hosts modification or is running in an intranet with custom hosts there's no way MediaWiki can send to that address.

It would probably be useful to validate the tlds used in e-mail addresses to ensure the domain in the e-mail is valid for use. Of course with a config option to disable it for intranets and whatnot.

Mozilla's Public Suffix List project would be useful for this:
http://publicsuffix.org/

Added warning message in r101585