Shouldn't allow unlimited e-mail address confirmation messages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Low
|
Unassigned |
Bug Description
According to lib/canonical/
That's a good reason, but it has a problem. If you don't have a Launchpad account, someone who isn't even logged in can DoS you by getting Launchpad to rapidly send you hundreds of confirmation messages.
Either Launchpad should limit the number of confirmation messages sent to an address (perhaps 2 per day maximum), or the confirmation message should include the IP address of the person who requested the confirmation (as other systems do), or both.
See also bug 341935.
Changed in launchpad: | |
status: | New → Confirmed |
Changed in launchpad-registry: | |
importance: | Undecided → Wishlist |
status: | Confirmed → Triaged |
description: | updated |