Launchpad itself

Shouldn't allow unlimited e-mail address confirmation messages

Bug #78039 reported by Matthew Paul Thomas on 2007-01-05

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Triaged	Low	Unassigned

Bug Description

According to lib/canonical/launchpad/pagetests/foaf/02-addemail.txt, you can ask for a confirmation message to be sent to an unconfirmed e-mail address "as many times as you want, because you can have lost the token and then you'll need another one".

That's a good reason, but it has a problem. If you don't have a Launchpad account, someone who isn't even logged in can DoS you by getting Launchpad to rapidly send you hundreds of confirmation messages.

Either Launchpad should limit the number of confirmation messages sent to an address (perhaps 2 per day maximum), or the confirmation message should include the IP address of the person who requested the confirmation (as other systems do), or both.

See also bug 341935.

See original description

Tags:

Diogo Matsubara (matsubara) on 2008-04-23

Changed in launchpad:
status:	New → Confirmed

Curtis Hovey (sinzui) on 2009-01-01

Changed in launchpad-registry:
importance:	Undecided → Wishlist
status:	Confirmed → Triaged

Matthew Paul Thomas (mpt) on 2009-03-17

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.