aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhttps://id.koumbit.net/anarcat <https://id.koumbit.net/anarcat@web>2014-09-15 16:30:44 -0400
committeradmin <admin@branchable.com>2014-09-15 16:30:44 -0400
commite4ae341a8040bb37162d120ea89f0ce9e4c7a776 (patch)
tree39f8d9f5435652d08c7efd2020e2cbf711f4e48e
parent63e58fa5906436190e024879a1ad6a6e605257d2 (diff)
downloadikiwiki-e4ae341a8040bb37162d120ea89f0ce9e4c7a776.tar
ikiwiki-e4ae341a8040bb37162d120ea89f0ce9e4c7a776.tar.gz
this patch doesn't make the situation worse, actually
-rw-r--r--doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn2
1 files changed, 2 insertions, 0 deletions
diff --git a/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn b/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn
index 91aeda453..c4542c8d0 100644
--- a/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn
+++ b/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn
@@ -93,3 +93,5 @@ Any other ideas? --[[anarcat]]
>>>> hmm... true, that is a problem, especially for hostile wikis. but then any hostile site could send you such garbage - they would be spammers then. otherwise, you could ask the site manager to disable that account...
>>>>
>>>> this doesn't seem to be a very big security issue that would merit implementing a new verification mechanism, especially since we don't verify email addresses on accounts right now. what we could do however is allow password authentication on openid accounts, and allow those users to actually change settings like their email addresses. however, I don't think this should be blocking that functionality right now. --[[anarcat]]
+>>>>
+>>>> besides, the patch I am proposing doesn't make the vulnerability worse at all, it exists right now without the patch. my patch only allows users that **don't** have an email set (likely because their openid provider is more discreet) to set one... --[[anarcat]]