We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Validation Email sended more than one time | Forum

Mariano
Mariano Jun 8 '16
Im having the issue that the confirmation/validation email is sended more than one time in the cases the users click more than one time in "send email" to validate his email.


Its an issue becouse when the cron runs, the user will recieve more than one email. *the same email* more than one time


In the case the user only click one time in "send email" button, the user will recieve only one email.



dave Leader
dave Jun 8 '16
You need to change the text on that page in the language file to tell them not to click more than once. Oxwall cannot control how many times they click on that.
Mariano
Mariano Jun 8 '16

Quote from dave You need to change the text on that page in the language file to tell them not to click more than once. Oxwall cannot control how many times they click on that.


but it can check if there is a previous schedulder email of the "validate email" type maybe?


otherwise this is a serious flag, becouse someone can flood the service and the hosting provider can block the smtp emails for exceed the emails per days , this is a common restriction.

The Forum post is edited by Mariano Jun 8 '16
dave Leader
dave Jun 8 '16
you can always turn off email verify this will prevent them from going to that page. 


And then you can send them an email yourself asking them to reply to verify their account, then they reply and then you approve them. 

The Forum post is edited by dave Jun 8 '16
JoshWho
JoshWho Jun 9 '16
I agree. This is a security issue and can cause problems if someone wanted to do it. Lots of browser click scripts out there that could just continuously click that over and over again. This could be a serious problem and could get your servers email blacklisted or if using a smtp could get it suspended. 
Quote from Mariano
Quote from dave You need to change the text on that page in the language file to tell them not to click more than once. Oxwall cannot control how many times they click on that.


but it can check if there is a previous schedulder email of the "validate email" type maybe?


otherwise this is a serious flag, becouse someone can flood the service and the hosting provider can block the smtp emails for exceed the emails per days , this is a common restriction.


Mariano
Mariano Jun 9 '16
Guys i didnt know in deep the whole process, but, i think the pseudo code can be:


1) event trigger to add a cron job task

2) check if the task is not in queue

2.1) if its in queue ignore it

2.2) if it not in queue add it


I propose this, becouse:


1) i need email verification to be sure the email its correct and the user recieve his notifications

2) we never can rely on a messege to a dummy user to NOT make something more than one time

The Forum post is edited by Mariano Jun 9 '16
ross Team
ross Jun 14 '16

Quote from dave You need to change the text on that page in the language file to tell them not to click more than once. Oxwall cannot control how many times they click on that.
Dave +1


Mariano, you can make a suggestion on uservoice: https://developers.oxwall.com/roadmap

otherwise this is considered as a custom code modification. 

JoshWho
JoshWho Jun 14 '16
I would consider it an exploit not a suggestion. Especially now this conversation has been made it probably popped up in a lot of people's minds now.
Senior Developer Leader
Senior Developer Jun 14 '16
JoshWho 


+1


It's a core problem, where the attacker can put your server in blacklist easily.

dave Leader
dave Jun 14 '16
Even if the clicks are counted and limited to 2 for example, all they have to do is refresh the page and they have 2 more. And even if you take them to another page after the click they can always copy the url and go back and click it again.   The only real solution that i can see to totally solve this is to remove the option to resend the notification from the user side and put it on the admin side.  
JoshWho
JoshWho Jun 15 '16
No you can create a expire link for it and only allow the invoke so many time. The rate I would choose is a allowance only 5 tries within 60 minutes but limit it to 1 per 10 minutes. This way it is so spread out it would time out a bot trying to do this. It is a vulnerability and maybe should be thought out this next update. Just give a mention to the devs I am sure this is something they could add on the fly. They seem to be really swift with writing stuff so I say it is worth a shot to just message them and ask. I think they would be very interested in it for one they are rolling out a commercial platform and exploits and vulnerabilities will be rolling out a lot more now with the new publications going out. If i was the top dev of oxwall I would be concerned about this. I wouldn't want my customers complaining about skript kiddies getting their email blacklisted. 
ross Team
ross Jun 15 '16

Guys, we have reported the issue to our devs, it will be fixed asap. 

Note that if you do know how to fix a bug you found, you can make a pull request to our public repository on github:https://github.com/oxwall.

JoshWho
JoshWho Jun 15 '16
Sweet sounds good to me.