Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY issue #21

Open
timaschew opened this issue Jun 18, 2018 · 4 comments
Open

SECURITY issue #21

timaschew opened this issue Jun 18, 2018 · 4 comments

Comments

@timaschew
Copy link

timaschew commented Jun 18, 2018

I just installed the plugin and setup the google OAuth.

Then I tried as a user to login via google and I was redirected to a page on piwigo where I can choose my user name but also the email address. So I'm able to register for any mail addres I want, the admin has no chance to verify if the user used his real address or not (except by sending an email the address). Instead the mail address should be derived from the OAuth response and should not be able to be overwritten by the user manually.

This is a really serious security issues, please fix this as soon as possible.

@mistic100
Copy link
Member

mistic100 commented Jun 19, 2018

Hello,

how exactly is this a security issue ? Neither the security of the gallery or the Google account of the user is compromised at any moment.

The only "problem" is that the administrator is not sure the provided email corresponds to the linked account. And in my opinion this is a good thing, the user must be able to authenticate with an external provider but do not give you his main email, he can choose what personnal information he gives to you *

You will also notice that in the the standard Piwigo authentication the email is not mandatory and is not verified.

* This is in accordance to the GDPR and any data protection laws.

@mistic100
Copy link
Member

I must precise that the email is not used in the authentication process.

@timaschew
Copy link
Author

But then I don't get the idea of permissions and groups, how can I add user to a group if I can't ensure the identity of that user? Which is usually given by the email address with either a activation link or via an external provider.

@timaschew
Copy link
Author

The only "problem" is that the administrator is not sure the provided email corresponds to the linked account. And in my opinion this is a good thing, the user must be able to authenticate with an external provider but do not give you his main email, he can choose what personnal information he gives to you

That's exactly my point. I'm okay if you say the external provider should not give the email, but then you should not allow the user to specify any email address he wants, just disable that input field then.

But currently the email address is passed by the provider because the input field is prefilled with my address, but I can change it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants