Last modified: 2011-11-02 06:24:13 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T33965, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 31965 - Contest extension silently screws with user e-mail address
Contest extension silently screws with user e-mail address
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
Contest (Other open bugs)
unspecified
All All
: High normal (vote)
: ---
Assigned To: Jeroen De Dauw
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-26 23:12 UTC by MZMcBride
Modified: 2011-11-02 06:24 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description MZMcBride 2011-10-26 23:12:38 UTC 
I was playing around with the Contest extension and used "hhhh@f" as my e-mail address. The extension accepted this e-mail address (which ought to be the subject of another bug), but more disturbingly, the extension silently set my global e-mail address as "hhhh@f" and marked the e-mail address as being confirmed/authenticated. The Contest extension shouldn't touch user.user_email at all. And it most certainly shouldn't do so silently.
Comment 1 Jeroen De Dauw 2011-10-26 23:38:57 UTC 
So far for the build in PHP mail validation function... wtf...

The email address field in the signup form should default to your set email address if you have any. Just had a look, and this appears to work as it should. You are right that changing the address should cause it to be in non-validated state, this is something I overlooked. However, the change of the user email field is deliberate, and was discussed before creating the extension. The idea here is that it makes little sense to have separate storage for the email address of a user, as it's really one piece of info, hence the usage of the user_email field in the user table. The field in the contest extension is there to keep a copy that cannot be changed after contest end.
Comment 2 MZMcBride 2011-10-26 23:49:55 UTC 
(In reply to comment #1)
> So far for the build in PHP mail validation function... wtf...

I imagine it's accounting for something like... user@localhost.

> The email address field in the signup form should default to your set email
> address if you have any. Just had a look, and this appears to work as it
> should.

Yes, it does. But...
> You are right that changing the address should cause it to be in
> non-validated state, this is something I overlooked.

Much more importantly, if it's going to change user.user_email to a new value, it should first confirm this with the user. "Your e-mail address is currently set to foo@bar.com. You've indicated that your e-mail address is baz@bang.com. Would you like to update your Wikimedia account?" Or something.

> However, the change of the user email field is deliberate, and was discussed
> before creating the extension.

Changing the e-mail address is fine. _Silently_ changing it is not.
Comment 3 Brion Vibber 2011-10-26 23:53:58 UTC 
wtf yes this should definitely not be changing your user account settings without warning...
Comment 4 Jeroen De Dauw 2011-10-27 00:36:19 UTC 
Right. Will add a warning then.
Comment 5 p858snake 2011-10-27 01:43:12 UTC 
(In reply to comment #0)
> I was playing around with the Contest extension and used "hhhh@f" as my e-mail
> address. The extension accepted this e-mail address (which ought to be the
> subject of another bug),
That is a perfectly valid address per the RFC from my understanding... This should not be changed.
Comment 6 Daniel Friesen 2011-10-27 02:27:09 UTC 
(In reply to comment #5)
> (In reply to comment #0)
> > I was playing around with the Contest extension and used "hhhh@f" as my e-mail
> > address. The extension accepted this e-mail address (which ought to be the
> > subject of another bug),
> That is a perfectly valid address per the RFC from my understanding... This
> should not be changed.
Cept unless the MediaWiki install has a local hosts modification or is running in an intranet with custom hosts there's no way MediaWiki can send to that address.

It would probably be useful to validate the tlds used in e-mail addresses to ensure the domain in the e-mail is valid for use. Of course with a config option to disable it for intranets and whatnot.

Mozilla's Public Suffix List project would be useful for this:
http://publicsuffix.org/
Comment 7 Jeroen De Dauw 2011-11-02 06:24:13 UTC 
Added warning message in r101585
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links