Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When sending email reports, deduplicate the list of emails addresses to only send the report once per email #14474

Closed
mattab opened this issue May 23, 2019 · 0 comments · Fixed by #14561
Assignees
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone

Comments

@mattab
Copy link
Member

mattab commented May 23, 2019

-> Goal of this issue is to make sure we only send email reports once to a given email address.

Initial security report

When creating/editing an email report, if you enter the same email address multiple times, like 100 or 1000 times in the field "Send report to", the email reports are sent 100 or 1000 times. This could create problems where the Matomo server sending emails is marked as spam. This could affect Cloud customers if some security tester is sending hundreds of email reports (they are not allowed it as per our bug bounty rules, but some who don't read still do it anyway...).

Suggested steps

  1. Deduplicate email addresses when saving a scheduled email reports (only save the email once). So even if you enter many times the same email it won't be saved anyway.
  2. When sending emails in the scheduled task (or via the UI "Send report now" button), then deduplicate emails and only send the email report once to each email address. (this is useful if for some reason an existing email report contains the same email multiple times and wasn't "fixed" by step 1. above yet)
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label May 23, 2019
@mattab mattab added this to the 3.11.0 milestone May 23, 2019
@katebutler katebutler self-assigned this Jun 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants