Linebreak in team membership request breaks URL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Critical
|
Unassigned |
Bug Description
I recently received a request to join our team which came in as (copied from a "show original" view):
_______
...
Sender: <email address hidden>
Errors-To: <email address hidden>
Precedence: bulk
X-Generated-By: Launchpad (canonical.com); Revision="12956";
Instance=
X-Launchpad-Hash: d8304cdc45d4270
Hello Kevin Cole,
Julian Clark (julian.clark) wants to be a member of Washington, DC LoCo
(ubuntu-
membership has to be approved. You can approve, decline or leave it as
proposed by following the link below.
https:/
districtofcolum
...
_______
It appears to have been sent with the newline after the dash, which means that the mail client interprets the URL as
https:/
instead of:
https:/
Changed in launchpad: | |
status: | New → Triaged |
importance: | Undecided → Critical |
tags: | added: email team |
security vulnerability: | yes → no |
visibility: | private → public |
(It may not be a security vulnerability, but since it took me to an unexpected URL that actually worked, I felt there might be some potential for malicious abuse, however minor.)