Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 365981

Summary: logged in bugzilla users can see the email addresses of other users
Product: Gentoo Infrastructure Reporter: Jerome <jerome.bouat>
Component: BugzillaAssignee: Bugzilla Admins <bugzilla>
Status: RESOLVED UPSTREAM    
Severity: critical CC: jer, jlec
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Jerome 2011-05-04 17:03:33 UTC 
By using a user account, a spammer can make the robots parse the email addresses of the users.

Because the process which grabs the email addresses and the process which sends the spam can be separated, nobody would know from who it comes.

The Bugzilla-4.x upgrade is a good point and it still can't block the spammer.

Note that this bug is not a duplicate from bug #249123

Reproducible: Always
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2011-05-05 00:51:48 UTC 
We could setup recaptcha for the registration of new accounts but we're not going to hide all mail addresses for *all* users.
Comment 2 Jerome 2011-05-08 11:21:36 UTC 
(In reply to comment #1)
> We could setup recaptcha for the registration of new accounts but we're not
> going to hide all mail addresses for *all* users.

A recaptcha setup will not detect the human users which query bugzilla in order to feed their spam robot.
Comment 3 Frédéric Buclin 2011-05-08 19:04:11 UTC 
This should go into the See Also field, but I cannot do it myself:

https://bugzilla.mozilla.org/show_bug.cgi?id=218917

This is the upstream bug.
Comment 4 SpanKY gentoo-dev 2011-06-17 01:56:22 UTC 
(In reply to comment #2)

sorry, but this is just crazy.  as soon as you have any human doing something, then the result really doesnt matter.  you're proposing making bugzilla a lot less useful to people for the sake of theoretical spam harvesting.  if you dont like the way this bugzilla is run, then delete your account.