From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS6939 65.19.128.0/18 X-Spam-Status: No, score=-0.6 required=3.0 tests=AWL,BAYES_00, RCVD_IN_BRBL_LASTEXT,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_ZBI,RCVD_IN_SORBS_WEB, RCVD_IN_XBL,RDNS_NONE,SPF_FAIL,SPF_HELO_FAIL shortcircuit=no autolearn=no autolearn_force=no version=3.4.0 Received: from 80x24.org (unknown [65.19.167.130]) by dcvr.yhbt.net (Postfix) with ESMTP id 824471F406 for ; Tue, 16 Jan 2018 05:08:25 +0000 (UTC) From: Eric Wong To: meta@public-inbox.org Subject: [PATCH] hval: only allow domain obfuscation in address Date: Tue, 16 Jan 2018 05:08:22 +0000 Message-Id: <20180116050822.5714-1-e@80x24.org> List-Id: Obfuscating username portions of the email address leads to having subsequent parts of the address not being obfuscated; which could mean we show someone else's email entirely. In other words, obfuscating "john.doe@example.com" becomes might mean "doe@example.com" is picked up by scanners. In other news, email address obfuscation is still a horrible usability issue and only exists to appease misguided people. --- lib/PublicInbox/Hval.pm | 8 ++++---- t/hval.t | 2 ++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/PublicInbox/Hval.pm b/lib/PublicInbox/Hval.pm index 00a923e..0e19902 100644 --- a/lib/PublicInbox/Hval.pm +++ b/lib/PublicInbox/Hval.pm @@ -95,13 +95,13 @@ sub obfuscate_addrs ($$) { my $ibx = $_[0]; my $re = $ibx->{-no_obfuscate_re}; # regex of domains my $addrs = $ibx->{-no_obfuscate}; # { adddress => 1 } - $_[1] =~ s/([\w\.\+=\-]+\@([\w\-]+\.[\w\.\-]+))/ - my ($addr, $domain) = ($1, $2); + $_[1] =~ s/(([\w\.\+=\-]+)\@([\w\-]+\.[\w\.\-]+))/ + my ($addr, $user, $domain) = ($1, $2, $3); if ($addrs->{$addr} || ((defined $re && $domain =~ $re))) { $addr; } else { - $addr =~ s!([^\.]+)\.!$1•!; - $addr + $domain =~ s!([^\.]+)\.!$1•!; + $user . '@' . $domain } /sge; } diff --git a/t/hval.t b/t/hval.t index 2af4d2a..7915f4c 100644 --- a/t/hval.t +++ b/t/hval.t @@ -18,6 +18,7 @@ hello@example.com meta@public-inbox.org test@public-inbox.org test@a.b.c.org +te.st@example.org EOF PublicInbox::Hval::obfuscate_addrs($ibx, $html); @@ -28,6 +29,7 @@ hello@example.com meta@public-inbox.org test@public-inbox•org test@a•b.c.org +te.st@example•org EOF is($html, $exp, 'only obfuscated relevant addresses'); -- EW