Matomo reports sent by email are exposing the username of the user generating the report through the "reply-to:" header field of the email. Though it's not a big issue, exposing the username which also serves as login name for this user should be considered as low security risk.
The email header of the report sent by email should not contain the "reply-to:" field at all, but if it does or has to for some reason, it should be configurable similar to
noreply_email_address for the "from:" header field.
Sending a report by email, Matomo adds the "reply-to:" header field, looking like this:
reply-to: username <emailaddress<a class='mention' href='https://github.com/mydomain'>@mydomain</a>.com>
As there is no need to reply to a report sent, this header field is not necessary anyway. The simplest solution would be to just not add this header field when sending reports at all.
Alternatively: add options similar to
noreply_email_name to configure what name and email address to add as "reply-to:" header.
Temporary workaround: Don't send reports from the admin account, but choose a user with as-low-as-possible rights to send reports. This way, the username is still exposed, but security risk is lower than with the admin account.
This issue has been mentioned on Matomo forums. There might be relevant details there:
I believe that's a regression, maybe we should add to the next milestone since there is a low-security risk. I would recommend if there is no-reply header set, we hide part of the username. Like
@peterhashair can you point at the PR you think this is a regression from?
That shouldn't be a regression. This code exists since 2017: