Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rate limit scheduled email reports #14513

Open
mattab opened this issue Jun 5, 2019 · 1 comment
Open

rate limit scheduled email reports #14513

mattab opened this issue Jun 5, 2019 · 1 comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
Backlog (Help wan...

Comments

@mattab
Copy link
Member

mattab commented Jun 5, 2019

Email reports in Matomo can be abused to send many emails. For example by creating a scheduled email report, then adding a few dozens (or more) email addresses (for example fake, or real), and then clicking "Send Report Now". The email report will be sent to all email addresses. The button can be clicked again and again. This fake email can be triggered every day as well.

Somehow it would be good to implement rate limiting. But not sure how the rate limiting should work...

See also #13813
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Jun 5, 2019
@Findus23
Copy link
Member

Findus23 commented Jun 5, 2019

Maybe an even better (even though complexer to implement) solution would be to require an opt-in for all emails (similar to #13533)

So if you add an email to a report, it only gets added after the user clicked on a confirmation link.

@mattab mattab added this to the Priority Backlog (Help wanted) milestone Jun 18, 2019
@mattab mattab added the Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. label Jun 18, 2019
@mattab mattab added Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. and removed Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. labels Oct 21, 2019
@tsteur tsteur removed the Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. label Dec 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
3 participants
@tsteur @mattab @Findus23