search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.63k stars 2.62k forks source link

rate limit scheduled email reports #14513

Open mattab opened 5 years ago

mattab commented 5 years ago

Email reports in Matomo can be abused to send many emails. For example by creating a scheduled email report, then adding a few dozens (or more) email addresses (for example fake, or real), and then clicking "Send Report Now". The email report will be sent to all email addresses. The button can be clicked again and again. This fake email can be triggered every day as well.

Somehow it would be good to implement rate limiting. But not sure how the rate limiting should work...

See also https://github.com/matomo-org/matomo/issues/13813

Findus23 commented 5 years ago

Maybe an even better (even though complexer to implement) solution would be to require an opt-in for all emails (similar to https://github.com/matomo-org/matomo/issues/13533)

So if you add an email to a report, it only gets added after the user clicked on a confirmation link.