registered emails for all users available via anonymous api
Bug #681815 reported by
Kapil Thangavelu
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
j.c.sackett |
Bug Description
This seems to be a security issues, at least with regards to the privacy and trust of our users.
---
from launchpadlib.
lp = Launchpad.
person = lp.people["hazmat"]
print list(person.
Related branches
lp:~jcsackett/launchpad/anonymous-api-access-emails-681815
- Edwin Grubbs (community): Approve (code)
- Benji York (community): Approve (code*)
-
Diff: 1048 lines (+205/-101)32 files modifiedlib/canonical/launchpad/browser/tests/test_logintoken.py (+2/-1)
lib/canonical/launchpad/doc/emailaddress.txt (+1/-0)
lib/canonical/launchpad/doc/location-widget.txt (+3/-3)
lib/canonical/launchpad/doc/notification-recipient-set.txt (+1/-0)
lib/canonical/launchpad/doc/vocabulary-json.txt (+1/-1)
lib/canonical/launchpad/security.py (+2/-5)
lib/canonical/launchpad/webapp/tests/test_login.py (+3/-2)
lib/canonical/launchpad/webapp/tests/test_loginsource.py (+4/-3)
lib/lp/blueprints/stories/standalone/subscribing.txt (+2/-2)
lib/lp/code/browser/tests/test_branch.py (+1/-1)
lib/lp/code/mail/branch.py (+4/-2)
lib/lp/code/mail/tests/test_branch.py (+4/-1)
lib/lp/code/mail/tests/test_sourcepackagerecipebuild.py (+1/-1)
lib/lp/code/model/recipebuilder.py (+6/-1)
lib/lp/code/model/tests/test_recipebuilder.py (+1/-0)
lib/lp/code/stories/feeds/xx-revision-atom.txt (+2/-1)
lib/lp/code/tests/test_directbranchcommit.py (+4/-1)
lib/lp/registry/browser/tests/person-views.txt (+4/-2)
lib/lp/registry/browser/tests/test_person_webservice.py (+41/-1)
lib/lp/registry/browser/tests/user-to-user-views.txt (+1/-1)
lib/lp/registry/doc/message-holds.txt (+1/-1)
lib/lp/registry/doc/person.txt (+3/-2)
lib/lp/registry/scripts/personnotification.py (+2/-1)
lib/lp/registry/stories/webservice/xx-person.txt (+81/-46)
lib/lp/registry/tests/test_personset.py (+3/-3)
lib/lp/registry/tests/test_product.py (+7/-6)
lib/lp/registry/tests/test_project.py (+2/-1)
lib/lp/services/mail/sendmail.py (+3/-1)
lib/lp/services/mailman/testing/__init__.py (+2/-1)
lib/lp/services/mailman/tests/test_lpmoderate.py (+4/-2)
lib/lp/testing/factory.py (+7/-6)
lib/lp/testing/tests/test_login.py (+2/-2)
affects: | launchpad → launchpad-registry |
Changed in launchpad-registry: | |
status: | New → Invalid |
security vulnerability: | yes → no |
visibility: | private → public |
security vulnerability: | no → yes |
visibility: | public → private |
Changed in launchpad-registry: | |
status: | Invalid → Triaged |
importance: | Undecided → High |
milestone: | none → 10.12 |
Changed in launchpad-registry: | |
assignee: | nobody → j.c.sackett (jcsackett) |
status: | Triaged → In Progress |
tags: | added: api |
Changed in launchpad-registry: | |
milestone: | 10.12 → series-future |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
Changed in launchpad: | |
milestone: | none → 11.01 |
visibility: | private → public |
tags: | added: disclosure hardening |
To post a comment you must log in.
Just to be clear this can also be used to harvest emails enmass across the entire launchpad population.
collected_emails = [] emails. extend( list(person. confirmed_ email_address) )
batch = lp.people[0:100]
for person in batch:
collected_