Modify

Opened 5 years ago

Last modified 12 months ago

#10958 new defect

Exception while processing email links without EMAIL_VIEW privilege

Reported by: marmarek@… Owned by: Ryan J Ollos
Priority: high Component: MarkdownMacro
Severity: normal Keywords:
Cc: Trac Release:

Description (last modified by Ryan J Ollos)

When markdown content contains email links like this:

[test](mailto:email@example.com)

and viewer doesn't have EMAIL_VIEW permission, it end up with exception (AttributeError: 'NoneType' object has no attribute 'group').

Trac converts such links (Formatter called from Markdown/macro.py) to:

<p>email@…
</p>

which doesn't match to HREF regexp. This causes exception on line 48 in Markdown/macro.py:

url = re.search(HREF, out.getvalue()).groups()[0]

MarkdownMacro 0.11.2

Attached some workaround patch.

Attachments (1)

markdown-email.patch (962 bytes) - added by marmarek@… 5 years ago.
workaround patch

Download all attachments as: .zip

Change History (20)

Changed 5 years ago by marmarek@…

Attachment: markdown-email.patch added

workaround patch

comment:1 Changed 5 years ago by Ryan J Ollos

Owner: changed from Douglas Clifton to Ryan J Ollos
Priority: normalhigh
Status: newassigned

Thanks for the patch.

comment:2 Changed 5 years ago by Ryan J Ollos

Description: modified (diff)

comment:3 Changed 5 years ago by Ryan J Ollos

There is a small issue with the patch. When the user doesn't have EMAIL_VIEW permission, a link will be rendered with an obfuscated email in the href. I think we'd be better off just rendering the obfuscated email without wrapping it in a link, like Trac does.

comment:4 Changed 5 years ago by Ryan J Ollos

Resolution: fixed
Status: assignedclosed

(In [13242]) Fixes #10958: (version 0.11.3) Render obfuscated emails without a link. This resolves a TracError when obfuscated emails were rendered: AttributeError: 'NoneType' object has no attribute 'group'.

comment:5 Changed 5 years ago by Ryan J Ollos

marmarek@…: Please report back if you have a chance to test the latest version.

comment:6 Changed 5 years ago by marmarek@…

Resolution: fixed
Status: closedreopened

It isn't working as expected: indeed no exception now, but lack of EMAIL_VIEW permission is ignored now. Full email address is rendered, as link.

comment:7 Changed 5 years ago by Ryan J Ollos

What is the href for the link? Does it have a full email address, or an obfuscated email address?

comment:8 Changed 5 years ago by Ryan J Ollos

Also, what are the [trac] never_obfuscate_mailto and [trac] show_email_addresses settings for your Trac?

comment:9 Changed 5 years ago by anonymous

Full email in href,

never_obfuscate_mailto = false
show_email_addresses = false

comment:10 Changed 5 years ago by Ryan J Ollos

The full email in href tells me that the problem is not with the MarkdownMacro. MarkdownMacro is not responsible for obfuscation of the email, nor can it circumvent any obfuscation. The logic in MarkdownMacro only strips away link elements when the email is obfuscated.

I cannot imagine a situation in which you place an email address outside of the Markdown block and it was obfuscated, but an email within the Markdown block is not obfuscated. Please try it, and I think you will find that that the user does actually have permission to view emails on the page in question. Perhaps you have granted EMAIL_VIEW to either the anonymous or authenticated groups, or the user has TRAC_ADMIN?

comment:11 Changed 5 years ago by marmarek@…

But actually it is happening. RAW source:

* [text](mailto:email@example.com) some more text 

0.11.2 with my patch output:

<li><a href="mailto:email@%E2%80%A6">text</a> some more text</li>

0.11.4 output:

<li><a href="mailto:email@example.com">text</a> some more text</li>
Last edited 12 months ago by Ryan J Ollos (previous) (diff)

comment:12 Changed 5 years ago by Ryan J Ollos

With the 0.11.4 version, if you place an email address outside of the Markdown WikiProcessor block, is it obfuscated?

comment:13 Changed 5 years ago by marmarek@…

Yes. Here you have problematic page: http://wiki.qubes-os.org/trac/wiki/UserDoc/TorVM (links at the end of page) Currently running 0.11.4. I must revert it shortly to working version...

comment:14 Changed 5 years ago by Ryan J Ollos

I see now that format gets called in convert, so my previous assumption was wrong. I suspect there is an issue with the regex I've implemented. I'll do some more testing, and I nearly have a unit test harness setup, so that will help as well. One difference I see between your markup and what I tested with initially is that your line begins with a bullet and whitespace.

Thank you for providing an example of how it fails, it will help with fixing the issue. Thank you also for your patience in helping me to understand the problem.

comment:15 Changed 5 years ago by Ryan J Ollos

Status: reopenednew

comment:16 Changed 4 years ago by Ryan J Ollos

Sorry for the delay. I'll be returning to this very soon, and I'll be hoping that you are still willing to test out further changes.

comment:17 Changed 4 years ago by Ryan J Ollos

Status: newaccepted

comment:18 Changed 12 months ago by Ryan J Ollos

Status: acceptednew

comment:19 Changed 12 months ago by Ryan J Ollos

Possible related issue fixed in #12996. Please test with latest version if you have time.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The owner will remain Ryan J Ollos.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.