Launchpad itself

registered emails for all users available via anonymous api

Bug #681815 reported by Kapil Thangavelu
280
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
j.c.sackett
Launchpad itself 11.01

Bug Description

This seems to be a security issues, at least with regards to the privacy and trust of our users.

---
from launchpadlib.launchpad import Launchpad
lp = Launchpad.login_anonymously("testing 123", "production")
person = lp.people["hazmat"]
print list(person.confirmed_email_addresses)

Related branches

lp:~jcsackett/launchpad/anonymous-api-access-emails-681815
Edwin Grubbs (community): Approve (code)
Benji York (community): Approve (code*)
Diff: 1048 lines (+205/-101)
32 files modified
lib/canonical/launchpad/browser/tests/test_logintoken.py (+2/-1)
lib/canonical/launchpad/doc/emailaddress.txt (+1/-0)
lib/canonical/launchpad/doc/location-widget.txt (+3/-3)
lib/canonical/launchpad/doc/notification-recipient-set.txt (+1/-0)
lib/canonical/launchpad/doc/vocabulary-json.txt (+1/-1)
lib/canonical/launchpad/security.py (+2/-5)
lib/canonical/launchpad/webapp/tests/test_login.py (+3/-2)
lib/canonical/launchpad/webapp/tests/test_loginsource.py (+4/-3)
lib/lp/blueprints/stories/standalone/subscribing.txt (+2/-2)
lib/lp/code/browser/tests/test_branch.py (+1/-1)
lib/lp/code/mail/branch.py (+4/-2)
lib/lp/code/mail/tests/test_branch.py (+4/-1)
lib/lp/code/mail/tests/test_sourcepackagerecipebuild.py (+1/-1)
lib/lp/code/model/recipebuilder.py (+6/-1)
lib/lp/code/model/tests/test_recipebuilder.py (+1/-0)
lib/lp/code/stories/feeds/xx-revision-atom.txt (+2/-1)
lib/lp/code/tests/test_directbranchcommit.py (+4/-1)
lib/lp/registry/browser/tests/person-views.txt (+4/-2)
lib/lp/registry/browser/tests/test_person_webservice.py (+41/-1)
lib/lp/registry/browser/tests/user-to-user-views.txt (+1/-1)
lib/lp/registry/doc/message-holds.txt (+1/-1)
lib/lp/registry/doc/person.txt (+3/-2)
lib/lp/registry/scripts/personnotification.py (+2/-1)
lib/lp/registry/stories/webservice/xx-person.txt (+81/-46)
lib/lp/registry/tests/test_personset.py (+3/-3)
lib/lp/registry/tests/test_product.py (+7/-6)
lib/lp/registry/tests/test_project.py (+2/-1)
lib/lp/services/mail/sendmail.py (+3/-1)
lib/lp/services/mailman/testing/__init__.py (+2/-1)
lib/lp/services/mailman/tests/test_lpmoderate.py (+4/-2)
lib/lp/testing/factory.py (+7/-6)
lib/lp/testing/tests/test_login.py (+2/-2)
Revision history for this message
Kapil Thangavelu (hazmat) wrote :

Just to be clear this can also be used to harvest emails enmass across the entire launchpad population.

collected_emails = []
batch = lp.people[0:100]
for person in batch:
     collected_emails.extend(list(person.confirmed_email_address))

Curtis Hovey (sinzui)
affects: launchpad → launchpad-registry
Changed in launchpad-registry:
status: New → Invalid
security vulnerability: yes → no
visibility: private → public
security vulnerability: no → yes
visibility: public → private
Changed in launchpad-registry:
status: Invalid → Triaged
importance: Undecided → High
milestone: none → 10.12
Revision history for this message
Curtis Hovey (sinzui) wrote :

This is not a bug. The API must honour the same rules of the web site. Only logged users can see email address, and only those email address that are designated to be public.

The defect here is that anonymous users can see public email addresses that they cannot see in web pages.

canonical.launchpad.security.ViewEmailAddress.checkUnauthenticated does verify that private addresses are not shown, but I think the rules are bogus. The method should only return False because no anonymous user is permitted to see email addresses. The rules might odd because the web UI uses obfuscation. Fixing this may topple pages that work with IEmailAddress and anonymous users.

j.c.sackett (jcsackett)
Changed in launchpad-registry:
assignee: nobody → j.c.sackett (jcsackett)
status: Triaged → In Progress
Revision history for this message
Curtis Hovey (sinzui) wrote :

I think this script can verify that anon interactions are fixed:
from launchpadlib.launchpad import Launchpad

def anon_emails():
    lp = Launchpad.login_anonymously("testing", "https://api.qastaging.launchpad.net/")
    person = lp.people["jml"]
    print list(person.confirmed_email_addresses)

def user_emails():
    lp = Launchpad.login_with('testing', 'https://api.qastaging.launchpad.net/')
    person = lp.people["barry"]
    print list(person.confirmed_email_addresses)

if __name__ == '__main__':
    print "Checking authenticated"
    user_email()
    print "Checking anon"
    anon_emails()

Revision history for this message
Kapil Thangavelu (hazmat) wrote :

Thanks for having a look at this, but the script above is a little confusing in output, in that barry doesn't have any public email addresses. here's a variation that raises an error if anon logins can see emails (currently raises an error), since jml has public addresses.

from launchpadlib.launchpad import Launchpad

def verify_anon_emails():
    lp = Launchpad.login_anonymously("testing", "https://api.qastaging.launchpad.net/")
    person = lp.people["jml"]
    anon_emails = list(person.confirmed_email_addresses)

    lp = Launchpad.login_with('testing', 'https://api.qastaging.launchpad.net/')
    person = lp.people["jml"]
    auth_emails = list(person.confirmed_email_addresses)

    assert anon_emails != auth_emails, "Anon able to see emails"

if __name__ == '__main__':
    print "Verifing anonymous emails"
    verify_anon_emails()

Revision history for this message
Curtis Hovey (sinzui) wrote :

The script was written from the perspective of a registry admin, i want to see barry's addresses.

Curtis Hovey (sinzui)
tags: added: api
Curtis Hovey (sinzui)
Changed in launchpad-registry:
milestone: 10.12 → series-future
Revision history for this message
Launchpad QA Bot (lpqabot) wrote : Bug fixed by a commit

Fixed in stable r12048 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/12048>.

Changed in launchpad-registry:
milestone: series-future → none
tags: added: qa-needstesting
Changed in launchpad-registry:
status: In Progress → Fix Committed
j.c.sackett (jcsackett)
tags: added: qa-ok
removed: qa-needstesting
Curtis Hovey (sinzui)
Changed in launchpad:
status: Fix Committed → Fix Released
Curtis Hovey (sinzui)
Changed in launchpad:
milestone: none → 11.01
Curtis Hovey (sinzui)
visibility: private → public
Curtis Hovey (sinzui)
tags: added: disclosure hardening
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.