Email handler seems to be ignoring messages from a particular user perhaps due to an unauthorized user with same address

Larry Talley May 31, 2012

I created several users with the my email address. The first was noaa.test.user. I was able to submit email through the email handler and not surprisingly the reporter was noaa.test.user.

So I removed authorizations from noaa.test.user. I removed access to JIRA and all group memberships.

Now the email handler is ignoring email messages from my address, even though I still have authorized users with that address.

I have demonstrated that I can fix the problem by changing the email address of the unauthorized users to an address that will never match any incoming messages. Then the address of an authorized user will be found. This is an adequate solution, so you can close this issue.

But... it seems like a bug to me, you may want to notify the developers.

1 answer

0 votes
Carl Myers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 1, 2012

I agree, suprising behavior with easy alternative, I'd say that's a bug.

This also hits at a larger underlying issue, namely, that jira doesn't validate emails at all. If an issue is hidden to one user, but visible to another, you could possibly leak the issue's description or other details by sending an email to jira APPEARING to be from the authorized user, and also CCing yourself or an address jira doesn't know about (I think? I forget which functionality is built into jira and which comes from our plugins).

Long story short, comments made via email can't really be trusted at all and no permissions for things that come from email can really be enforced either, against a malicious user.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events