Modify

Opened 17 months ago

Last modified 8 months ago

#10958 accepted defect

Exception while processing email links without EMAIL_VIEW privilege

Reported by: marmarek@… Owned by: rjollos
Priority: high Component: MarkdownMacro
Severity: normal Keywords:
Cc: Trac Release:

Description (last modified by rjollos)

When markdown content contains email links like this:

[test](mailto:email@example.com)

and viewer doesn't have EMAIL_VIEW permission, it end up with exception (AttributeError: 'NoneType' object has no attribute 'group').

Trac converts such links (Formatter called from Markdown/macro.py) to:

<p>email@…
</p>

which doesn't match to HREF regexp. This causes exception on line 48 in Markdown/macro.py:

url = re.search(HREF, out.getvalue()).groups()[0]

MarkdownMacro 0.11.2

Attached some workaround patch.

Attachments (1)

markdown-email.patch (962 bytes) - added by marmarek@… 17 months ago.
workaround patch

Download all attachments as: .zip

Change History (18)

Changed 17 months ago by marmarek@…

workaround patch

comment:1 Changed 17 months ago by rjollos

  • Owner changed from dwclifton to rjollos
  • Priority changed from normal to high
  • Status changed from new to assigned

Thanks for the patch.

comment:2 Changed 15 months ago by rjollos

  • Description modified (diff)

comment:3 Changed 15 months ago by rjollos

There is a small issue with the patch. When the user doesn't have EMAIL_VIEW permission, a link will be rendered with an obfuscated email in the href. I think we'd be better off just rendering the obfuscated email without wrapping it in a link, like Trac does.

comment:4 Changed 15 months ago by rjollos

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [13242]) Fixes #10958: (version 0.11.3) Render obfuscated emails without a link. This resolves a TracError when obfuscated emails were rendered: AttributeError: 'NoneType' object has no attribute 'group'.

comment:5 Changed 15 months ago by rjollos

marmarek@…: Please report back if you have a chance to test the latest version.

comment:6 Changed 15 months ago by marmarek@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

It isn't working as expected: indeed no exception now, but lack of EMAIL_VIEW permission is ignored now. Full email address is rendered, as link.

comment:7 Changed 15 months ago by rjollos

What is the href for the link? Does it have a full email address, or an obfuscated email address?

comment:8 Changed 15 months ago by rjollos

Also, what are the [trac] never_obfuscate_mailto and [trac] show_email_addresses settings for your Trac?

comment:9 Changed 15 months ago by anonymous

Full email in href,

never_obfuscate_mailto = false
show_email_addresses = false

comment:10 Changed 15 months ago by rjollos

The full email in href tells me that the problem is not with the MarkdownMacro. MarkdownMacro is not responsible for obfuscation of the email, nor can it circumvent any obfuscation. The logic in MarkdownMacro only strips away link elements when the email is obfuscated.

I cannot imagine a situation in which you place an email address outside of the Markdown block and it was obfuscated, but an email within the Markdown block is not obfuscated. Please try it, and I think you will find that that the user does actually have permission to view emails on the page in question. Perhaps you have granted EMAIL_VIEW to either the anonymous or authenticated groups, or the user has TRAC_ADMIN?

comment:11 Changed 15 months ago by marmarek@…

But actually it is happening.
RAW source:

* [text](mailto:email@example.com) some more text 

0.11.2 with my patch output:

<li>a href="mailto:email@%E2%80%A6">text</a> some more text</li>

0.11.4 output:

<li>a href="mailto:email@example.com">text</a> some more text</li>

(removed '<' from '<a' because of spam filter)

comment:12 Changed 15 months ago by rjollos

With the 0.11.4 version, if you place an email address outside of the Markdown WikiProcessor block, is it obfuscated?

comment:13 Changed 15 months ago by marmarek@…

Yes.
Here you have problematic page: http://wiki.qubes-os.org/trac/wiki/UserDoc/TorVM (links at the end of page)
Currently running 0.11.4. I must revert it shortly to working version...

comment:14 Changed 15 months ago by rjollos

I see now that format gets called in convert, so my previous assumption was wrong. I suspect there is an issue with the regex I've implemented. I'll do some more testing, and I nearly have a unit test harness setup, so that will help as well. One difference I see between your markup and what I tested with initially is that your line begins with a bullet and whitespace.

Thank you for providing an example of how it fails, it will help with fixing the issue. Thank you also for your patience in helping me to understand the problem.

comment:15 Changed 14 months ago by rjollos

  • Status changed from reopened to new

comment:16 Changed 13 months ago by rjollos

Sorry for the delay. I'll be returning to this very soon, and I'll be hoping that you are still willing to test out further changes.

comment:17 Changed 8 months ago by rjollos

  • Status changed from new to accepted

Add Comment

Modify Ticket

Action
as accepted .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.