Open Bug 1092445 Opened 10 years ago Updated 10 years ago

Default reply comment header shows emails to those not logged for accounts without a "real name"

Categories

(Bugzilla :: User Interface, defect)

Product:
Bugzilla
Component:
User Interface
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: sam, Unassigned)

Details

(Keywords: privacy) 

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141027150301

Steps to reproduce:

Went to https://bugzilla.mozilla.org/show_bug.cgi?id=1034952 without being logged in


Actual results:

My email address is shown in several places


Expected results:

No email addresses should be shown publicly to users who are not logged in.
Your email is not appearing in any Bugzilla UI elements, it is showing in quoted comment text (I assume you mean the address in bug 1034952 comment 10 and so on, which is different than the address your account appears to have now).

This appears to happen when accounts have no "real name". For example, if I reply to your comment above _now_ I get "(In reply to Samuel from comment #0)", using your name without the email address. The address is included only when we don't have another name for the user.

It would be better to skip the email address if that's all we know about an account and instead use simply "(In reply to comment #10)". In fact that would work even if we do have a real name, but maybe leaving out the name when we know it would be considered less personal or polite or something. Of course these days with people leaving messages in their real names there are other aesthetic reasons to omit the name.

(In reply to John [:jdoe] Doe (not reading bugmail, please use needinfo?) in comment #0)
(In reply to John Doe [on vacation 11/1 through 11/15] in comment #0)

... gets a little silly.

Since the bugzilla privacy guarantees are not strong to begin with (anyone can create an account and then see the addresses) I'm going to unhide this bug.
Assignee: general → ui
Group: bugzilla-security
Status: UNCONFIRMED → NEW
Component: Bugzilla-General → User Interface
Ever confirmed: true
Keywords: privacy
Summary: Privacy concerns, emails in bugs showing publicly → Default reply comment header shows emails to those not logged for accounts without a "real name"
Actually, I think what happened is that I changed email addresses. So now since the old email address is not tied to an account, it's freely displaying it. But this is still a privacy concern IMO. My name was always set to something, it was never blank.
I hid this bug so unregistered users (and potentially bots) would not crawl this bug, and hit the link I gave which has my email address publicly revealed.
(In reply to Daniel Veditz [:dveditz] from comment #1)
> It would be better to skip the email address if that's all we know about an
> account and instead use simply "(In reply to comment #10)". In fact that
> would work even if we do have a real name, but maybe leaving out the name
> when we know it would be considered less personal or polite or something. Of
> course these days with people leaving messages in their real names there are
> other aesthetic reasons to omit the name.

No, removing the real name would be a regression. We include it on purpose since Bugzilla 4.4 (bug 653634; bmo backported this feature to 4.2) to easily know whom we are quoting. This information is really helpful (both in the bug itself and in bugmails) and we won't remove it.

What /could/ be done is to not display the email address if there is no real name available, but then we would loose useful information. A better solution would be to morph the email address to something like "nick at domain dot com". The email address would then still be readable by humans, and we wouldn't loose information. This looks like the best solution to me.

The full fix will be bug 218917, but that's not something which will happen before Bugzilla 5.2/6.0.
Version: unspecified → 4.4
See #4: https://www.mozilla.org/en-US/about/manifesto/

Is my privacy not fundamental? Is it too much to expect my email address(es) to not be floating out there on the web publicly? I see this as a pretty simple fix:

Email addresses should never be visible to a non-logged-in user. It's a simple enough affair to replace xxxxxx@yyyy with x*****@yyyy in the body of any comments.

Let me know if I can contribute to the Bugzilla source, I'd be glad to make this fix myself.
(In reply to Samuel from comment #5)
> Let me know if I can contribute to the Bugzilla source, I'd be glad to make
> this fix myself.

Sources are easily available, and anyone can attach a patch and request review here.
Great. Should I attach a patch to this bug or file a new one?
(In reply to Samuel from comment #7)
> Great. Should I attach a patch to this bug or file a new one?

Attaching patches to this bug seems appropriate.
Thanks Steve. Is there a document I can look at that explains how you guys like patches to be formatted? Or will a "diff -u file.old file.new" suffice?
(In reply to Samuel from comment #9)
> Thanks Steve. Is there a document I can look at that explains how you guys
> like patches to be formatted? Or will a "diff -u file.old file.new" suffice?

Just so there's no confusion, if "you guys" means those who can speak in official capacity, that does not include me.  ;-)  But have a look at this page:
https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/How_to_Submit_a_Patch
(In reply to Samuel from comment #9)
> like patches to be formatted? Or will a "diff -u file.old file.new" suffice?

This command is fine. Make sure to execute it from the bugzilla/ root directory.
Or even better, use git diff or bzr diff to generate your patch.
As a Bugzilla developer, I would oppose a patch which did a search-and-replace on all comments for email-address-like things. That has the potential to mangle other comments in a bad way.

However, a patch which changed the quoting header for future quotations might work; it depends what you did. "foo at bar dot com" would be OK.

Gerv
It wouldn't search-and-replace on "email-address-like things," it would actually only work on email addresses only. :)

So if my comment mentioned, for example, steve12345@gmail.com, it would censor it (for users not logged in) to s****@gmail.com. Or maybe even [email address hidden]. There could also be an override, if someone wants to make an email address public (like info@mozilla.org). Perhaps they could format it in the comments like so: %pub:info@mozilla.org. Just a thought.

Thoughts on this? I suppose just cloaking emails in the "reply to" header would work too, and certainly be less prone to error. I don't think "foo at bar dot com" would be OK, as it's about privacy in general, not just about spambots.
(In reply to Samuel from comment #14)

> So if my comment mentioned, for example, steve12345@gmail.com, it would
> censor it (for users not logged in) to s****@gmail.com. Or maybe even [email
> address hidden].

Please focus on what this bug is about, i.e. the reply comment header. What you say here is already covered by bug 376909.
Note that scrubbing the "reply to" header will not obviously retroactively censor past posts, since it's just embedded text in the actual comment itself. So this doesn't address all the past comments that have been made, which is kind of a bummer.
(In reply to Samuel from comment #16)
> Note that scrubbing the "reply to" header will not obviously retroactively
> censor past posts, since it's just embedded text in the actual comment
> itself. So this doesn't address all the past comments that have been made,
> which is kind of a bummer.

Indeed. However, this downside isn't great enough to do comment mangling of the sort proposed in bug 376909. "Email-address-like things" are things that would be caught be an email-address-detecting regexp but are not actually email addresses. 

Gerv
(In reply to Gervase Markham [:gerv] from comment #17)
> Indeed. However, this downside isn't great enough to do comment mangling of
> the sort proposed in bug 376909. "Email-address-like things" are things that
> would be caught be an email-address-detecting regexp but are not actually
> email addresses. 
> 
> Gerv

What would be caught by accident? Surely Email::Valid would do a great job at matching email addresses? Regex could pull potential addresses from text, and Email::Valid could double check.
(In reply to Samuel from comment #18)
> What would be caught by accident? Surely Email::Valid would do a great job
> at matching email addresses? Regex could pull potential addresses from text,
> and Email::Valid could double check.

Please stop this discussion about email addresses in comments. This is out of the topic of this bug.
What are you talking about? That is *exactly* what this bug is about.

"Default reply comment header shows emails to those not logged for accounts without a "real name""

I filed this bug. I was merely mistaken in thinking that the "in reply to" was a separate UI element, that's all. Now that I understand that it's part of the actual comment body, the scope has changed.
(In reply to Samuel from comment #20)
> What are you talking about? That is *exactly* what this bug is about.

This bug is about inserting the email address in the reply header only. About existing comments which already contain email addresses, this is bug 376909.
I suppose a good first step would be to stop adding email addresses in plaintext to the reply header. I'll start there.
You need to log in before you can comment on or make changes to this bug.