We are a strictly private group, and we discuss the merits of “sponsors”, who are not allowed in the group. We use SSO. Two of our users had a private message, and one uploaded an eml (email) file to the PM. The eml file contained the email addresses of three sponsors. Discourse discovered the email addresses, added the sponsors as staged users, and- even though they were still staged- emailed the sponsors subsequent posts in the PM. Obviously this violated our privacy.
To be fair, I had opened up the allowed upload file types to “*”, or allow all uploads. By default, they could not have uploaded an eml file. But what about a Word document? Will Discourse scan it for email addresses and add them as users?
To repro:
- Start a PM
- Find an old email from your ex
- Upload the eml file to the PM
- Your ex is now a staged user
- Continue the PM
- Your ex gets emails