Uploading .eml file creates unwanted users- and sends them others' PMs

We are a strictly private group, and we discuss the merits of “sponsors”, who are not allowed in the group. We use SSO. Two of our users had a private message, and one uploaded an eml (email) file to the PM. The eml file contained the email addresses of three sponsors. Discourse discovered the email addresses, added the sponsors as staged users, and- even though they were still staged- emailed the sponsors subsequent posts in the PM. Obviously this violated our privacy.

To be fair, I had opened up the allowed upload file types to “*”, or allow all uploads. By default, they could not have uploaded an eml file. But what about a Word document? Will Discourse scan it for email addresses and add them as users?

To repro:

1. Start a PM
2. Find an old email from your ex
3. Upload the eml file to the PM
4. Your ex is now a staged user
5. Continue the PM
6. Your ex gets emails

Are you sure that the .eml file was uploaded or did someone forward an email to the PM?

There isn’t any special handling for uploaded files that would create staged users, but incoming emails can create staged users depending on your site settings. You might want to take a look at settings like forwarded_emails_behaviour and enable_staged_users.

It was an incoming email:

image893×99 12.4 KB

The incoming email shows up as an eml attachment(?) which created the staged users:

image948×518 28.8 KB

My settings. So I will deselect “enable staged users”. I’m sure there is some valid use case for that option.