Page MenuHomePureOS Tracker

Tracker emails contain HTTP links to tracker.pureos.net
Open, NormalPublic

Description

Emails sent from noreply@tracker.pureos.net contain HTTP links to tracker.pureos.net, thus vulnerable to MITM attacks when clicked.

Examples:

  1. in notifications of tasks:

TASK DETAIL
http://tracker.pureos.net/T118

EMAIL PREFERENCES
http://tracker.pureos.net/settings/panel/emailpreferences/

  1. in email verification link sent to new user that done registration.

Please verify that you own this email address (...........) by clicking this link: http://tracker.pureos.net/emailverify/xl............./

Fix:

Change settings in tracker to use HTTPS links instead of HTTP, probably can acomplished by:

  1. a restart by "phd restart" may fix it, in case it's happening due to caching? see at:

https://secure.phabricator.com/T10848 [Notification mails containing old links after changing phabricator.base-uri]

  1. The code path of first example use 'phabricator.production-uri' config to determinate the URI to use, so set it in configuration with https URI, which can be done by command:

./bin/config set phabricator.production-uri HTTPSURIVALUE
where HTTPSURIVALUE is result of ./bin/config get phabricator.base-uri

Event Timeline

e3amn2l created this task.Sep 5 2018, 07:02
e3amn2l updated the task description. (Show Details)Sep 5 2018, 07:09
jeremiah.foster added a subscriber: jeremiah.foster.

We've recently done a phd restart so let's see if that helps . . .

No, that doesn't help;

TASK DETAIL

http://tracker.pureos.net/T563

EMAIL PREFERENCES

http://tracker.pureos.net/settings/panel/emailpreferences/

To: jeremiah.foster
Cc: jeremiah.foster, e3amn2l