The default e-mail templates (such as registerconfirm.tmpl) that come with Dakar specify the To: address as "%FIRSTLASTNAME% <%EMAILADDRESS%>". When using Net::SMTP (at least), this To: field is parsed by splitting on commas and spaces. (see Net.pm, around line 265 in the official 4.0 distribution). Thus, if the line reads "To: Kevin Ring <kring@example.com>" TWiki will attempt to send emails to "Kevin", "Ring", and "<kring@example.com>". With most e-mail setups, this isn't noticeable because the last will go where it is intended and the first two are invalid and will go nowhere. But with some setups (an Exchange server on a LAN, in my case), "kevin" or "ring" might be a perfectly valid address. And it might not be the same person as "kring@example.com". If the registration email includes a password, it is not hard to imagine a situation where this is a security problem.
I was able to fix this by changing the split call to split only on commas, not whitespace.
-- Kevin Ring
Although you have told us where to look, if you provide a patch I'll fold it in this evening.
--
MC
Thanks for reporting this, Kevin.
SVN 8691.
--
SP
Yes, thanks Kevin. Thanks Steffen, for fixing this.
--
MC
Closed with release of 4.0.2
KJL