Currently, when we send emails as 'bcc', in order to hide the recipients addresses, the full list of addresses is published in the Mass Contact node which is created.

As a result, any user with the 'access content' permission can harvest the emails for all of the users on the site.

If the bcc option is checked, the full recipient list should not be published.

Comments

Forest Websites’s picture

I've noticed the same problem. Currently I have to log into the Admin of all my sites that use Mass Contact, and then unpublish the stored Mass Contact nodes.

I've also tried altering the default settings for the Mass Contact content type so that its default is unpublished. But for some reason this is ignored when you actually create new content of that type.

Does anyone know how we can fix this?

oadaeh’s picture

Category: bug » feature

@jthorson: as much as you may hate it, showing the Bcc recipients in the node is not a bug. I disagree in that the module should just unilaterally hide all Bcc recipients. I do, however, believe there should be some mechanism for allowing them to be hidden or shown. Currently, unpublishing the node is the only option. Once I'm done with the port to Drupal 7, I can look at changing how this issue is addressed.

@Andrew Dolan: ignoring the default setting of whether to publish or not is a bug, and you should create a new issue for that.

jthorson’s picture

Fair enough ... I marked it as a bug because of the potential security implications, but if that was per design, the 'feature request' label is more appropriate.

To elaborate and add some detail to the request, my suggested approach would be to add a 'view "bcc" addresses' permission; and only perform a check against this permission during the pre-processing of the resulting "mass contact" node (I'll see whether I can spare some time to drum up a patch this weekend.)

oadaeh’s picture

Yes, adding a permission sounds like the right way to do it and is easy enough. What will take a bit of work is applying the permission to the node during viewing, since everything except the subject is included in the node's body as one chunk.

oadaeh’s picture

Status: Active » Fixed

I have implemented this feature in the 7.x version of this module.

Will I back port it to 6.x? Probably not. I've got a lot going on right now, and this module would have to depend on a lot of other modules.

netgenius.co.uk’s picture

I've just been hit by this - recently upgraded from an older version which didn't have this behaviour, and didn't know this was going to happen - just published 2500 "private" email addresses for all to see - I hope I was quick enough for Google not to grab the page. Ok, if not a bug I *strongly* feel that some kind of warning should be visible. If it's *meant* to work this way... well I'm sorry but I think it's seriously flawed behaviour, with neither a warning about security implication nor a method of hiding the email addresses (other than unpublishing or using a node access module.)

May I suggest for now at least you place a prominent warning on the project page here?

netgenius.co.uk’s picture

Addednum - since when creating a mass-contact message, the form says "Recipients will be hidden." (immediately above the subject field) I would suggest that either that message *is* a bug, or the listing of emails addresses in the node *is* a bug.

With respect, I write and maintain modules myself and do understand your position on this, but I don't think you should be ignoring it - it's a serious issue.

netgenius.co.uk’s picture

Suggested work-around - at line #1994 in mass_contact.module (currently a blank line) add either:

$node->status = 0;

... to set the node as unpublished, or:

$recipients = t('hidden');

... to hide the recipient list.

oadaeh’s picture

I've just been hit by this - recently upgraded from an older version which didn't have this behaviour,

Maybe I'm just not understanding what the real issue is here. What do you mean by it "didn't have this behaviour"? I haven't changed that code in almost 4 years, if ever. The oldest record I have of any change is from Jan. of 2008, but that was because the original CVS tags were broken and needed to be fixed. This is about displaying recipient addresses in the archived copy on the website, right?

Ok, if not a bug I *strongly* feel that some kind of warning should be visible. If it's *meant* to work this way... well I'm sorry but I think it's seriously flawed behaviour, with neither a warning about security implication not a method of hiding the email addresses (other than unpublishing or using a node access module.)

The original idea with the message being saved as a node was to have a backup copy of it saved for archival purposes. It was not necessarily intended to be displayed to the general public. If you are using it in another manner, that is not a flaw on my part.

I can add warning messages to both the administration page and to the main message sending page. I can also add an administration option that specifies that the addresses are not to be added to the saved node. I am not really interested in spending the time and resources necessary in adding CCK functionality and module dependencies for an optional feature.

oadaeh’s picture

Addednum - since when creating a mass-contact message, the form says "Recipients will be hidden." (immediately above the subject field) I would suggest that either that message *is* a bug, or the listing of emails addresses in the node *is* a bug.

The recipients are hidden in the outgoing message, which is what that is referring to. That is not a bug. Saving a copy of the message as a node is an optional feature. It is also not a bug that the recipients are not hidden there, either. I want to be able to come back to that message a month or a year later and see who I sent it to.

oadaeh’s picture

Addednum - since when creating a mass-contact message, the form says "Recipients will be hidden." (immediately above the subject field) I would suggest that either that message *is* a bug, or the listing of emails addresses in the node *is* a bug.

The recipients are hidden in the outgoing message, which is what that is referring to. That is not a bug. Saving a copy of the message as a node is an optional feature. It is also not a bug that the recipients are not hidden there, either. I want to be able to come back to that message a month or a year later and see who I sent it to.

oadaeh’s picture

Suggested work-around - at line #1994 in mass_contact.module (currently a blank line) add either:

$node->status = 0;

... to set the node as unpublished, or:

I have had at least one bug report (maybe two or three -- I'll leave searching the issue queue to you) to not do that. You can change the content type to default to not be published, if you desire, and that saved copy will not be published, as a normal behavior of Drupal. If that doesn't happen, that would be a bug.

netgenius.co.uk’s picture

Ok... so it seems that something in Drupal must have changed. In older versions the saved nodes were always saved as unpublished, but now not. I have definitely not changed the defaults, simply upgraded.

Possibly it was just luck that nodes were previously saved as unpublished - who knows. Well, I agree your code is not at fault! but I *still* suggest that documentation should carry a warning, as should the project page - it's too easy to accidentally hit this and so publish all members email addresses.

Since I don't want to p*** you off even more :) by changing the Component here to Documentation, I won't!

Your good work is appreciated, even though at times it doesn't seem that way.

oadaeh’s picture

Version: 6.x-1.1 » 6.x-1.x-dev
Component: Code » User interface
Assigned: Unassigned » oadaeh
Status: Fixed » Active

I will make the changes I mentioned, but it will be after I get back from BADCamp.

mgifford’s picture

Thanks @oadaeh I'm hoping these get applied to the D7 version too. I just ran into this problem with 7.x-1.0-alpha2 and am looking not to have to hack a workaround on this one.

oadaeh’s picture

@mgifford: In the Drupal 7 version, since I've separated out the various components of the message, you can use whatever method you want to not display various fields. The one method that comes immediately to mind is using the Field Permissions module, though I'll bet there are other options.

mgifford’s picture

This is good to know, thanks! I didn't check if that had made it's way into the docs, but would make a lot of sense so that private emails are held private.

mgifford’s picture

Note, when I went here - admin/structure/types/manage/mass-contact/fields/field_mass_contact_bcc

Changed the field settings to private:

BCC FIELD SETTINGS
These settings apply to the BCC field everywhere it is used. Because the field already has data, some settings can no longer be changed.

Field visibility and permissions
Public (author and administrators can edit, everyone can view)
Private (only author and administrators can edit and view)
Custom permissions

But that didn't stop it from being displayed.

I could modify the display - admin/structure/types/manage/mass-contact/display - but ultimately the defaults need to be more secure than this. It shouldn't be the default to publish lists of emails to the front page for any module in contrib. It's just a bad practice.

oadaeh’s picture

@mgifford: A) I didn't get that message, and B) it worked correctly for me. I'm not sure why it didn't work for you, but if you want to continue pursuing that particular thread, please do so in another issue, as it's different than this one.

mgifford’s picture

@oadaeh - A) are you referring to the text I quoted in #18? If so I'd like to know what you see here - admin/structure/types/manage/mass-contact/fields/field_mass_contact_bcc - I was just reporting what I saw in the interace and what options I reported.

B) What worked correctly for you? The defaults ensuring with a new install the bcc'd emails are private? The defaults should have the bcc display field being hidden by default with a new install.

This might work in dev, but not sure if we're testing the same versions. I was using 7.x-1.0-alpha2.

oadaeh’s picture

A) are you referring to the text I quoted in #18? If so I'd like to know what you see here - admin/structure/types/manage/mass-contact/fields/field_mass_contact_bcc - I was just reporting what I saw in the interace and what options I reported.

Yes, that is correct. Actually, I guess I had no BCC fields filled in before I tested it, because I now see what you copied above. After testing it again, I find it still works correctly.

B) What worked correctly for you? The defaults ensuring with a new install the bcc'd emails are private? The defaults should have the bcc display field being hidden by default with a new install.

No, that is incorrect. What is correct is that you may hide them, if you desire. What does work correctly is that by using the Field Permissions module you can show or hide that or any other field.

By default, I am not going to impose your or anyone else's ideals on everyone else where it does not make sense to do so. Just because you think that field should be hidden by default does not mean anyone else does.

The intended use case for the node copy functionality is as an archival feature. In that sense, only certain individuals would have access to any of the content, so all of it (not just the BCC field) would be inaccessible to most users. The fact that you are using that feature for other purposes does not change intended use case, so I will not require this module to depend on another module nor will I hide that field by default for your use case.

This might work in dev, but not sure if we're testing the same versions. I was using 7.x-1.0-alpha2.

That code is not different between the current dev, 7.x-1.0-alpha3, and 7.x-1.0-alpha2 versions (and probably the 7.x-1.0-alpha1 version, although I don't remember what changed between 7.x-1.0-alpha1 and 7.x-1.0-alpha2).

mgifford’s picture

Issue tags: +security

Thanks for your response. I don't have time just yet to install this module from scratch again, but I can assure you that I didn't do much of anything beyond enabling it, setting up a role to send it to.

I don't think I changed the default conditions when I set it up. After sending out this email the archived version was published, promoted to the front page and with the BCC column visible.

Maybe I did something wrong. If so then this issue will die. However, if it is easy to make visible on the front page a list of people's email addresses that have been not cc'd but clearly bcc'd, I'd consider this a security problem.

I did enable the field permissions module, but really all that needs to happen is that by default the bcc field should be hidden by default. It's easy to change in the content type, but this is a security issue and not simply a matter of personal preference.

jthorson’s picture

+1 to #22. This is a huge security wtf.

If someone wants to enable display of the bcc field on a Mass Contact node on their own site, it should require an active and conscious decision to do so. I could understand the 'archival feature' argument if that was the sole and primary function of this module ... but for the majority of users the reason they would install the Mass Contact module is to easily email all users of their site. If the default behavior for these people is to then publish the bcc email addresses in a node, and promote that node to the front page ... you have suddenly exposed the email addresses of every user on the site to address harvesters and collection for spammers.

Calling this a 'personal preference' shows a blatant disregard for the seriousness of this issue. Sure, this isn't an issue in a properly configured site ... but that does not guarantee that every site will be properly configured.

oadaeh’s picture

Okay, I've corrected the bug with the content node being saved with the content type's settings, here: http://drupalcode.org/project/mass_contact.git/commit/c18c0ef

I'll work on making the changes I said I would in #9.

oadaeh’s picture

I've added some administrative options for excluding any or all of the categories, roles, To recipients, and/or BCC recipients from the archived copy, here: http://drupalcode.org/project/mass_contact.git/commit/382ef0a

Try the 6.x-1.x-dev version, after it gets updated, and let me know if those changes work for you.

The location of the settings is admin/build/mass_contact/settings at the bottom of the page, in a new "Node copy options" fieldset.

mgifford’s picture

Thanks! I don't have time to test this right now, but will try to do so on the D7 version.

oadaeh’s picture

Status: Active » Fixed

I think that after over 1 and a half years with no response, I can assume the solution is acceptable.

Status: Fixed » Closed (fixed)
Issue tags: -security

Automatically closed -- issue fixed for 2 weeks with no activity.