cloak user PII when making commits etc, and let cloaked PII be used in banned_users

This was needed due to emailauth, but I've also wrapped all IP address
exposure in cloak(), although the function doesn't yet cloak IP addresses.

(One IP address I didn't cloak is the one that appears on the password
reset email template. That is expected to be the user's own IP address,
so ok to show it to them.)

Thanks to smcv for the pointer to
http://xmlns.com/foaf/spec/#term_mbox_sha1sum

IkiWiki.pm

@@ -1430,6 +1430,7 @@ sub userpage ($) {
 	return length $config{userdir} ? "$config{userdir}/$user" : $user;
 }
 
+# Username to display for openid accounts.
 sub openiduser ($) {
 	my $user=shift;
 
@@ -1464,6 +1465,7 @@ sub openiduser ($) {
 	return;
 }
 
+# Username to display for emailauth accounts. 
 sub emailuser ($) {
 	my $user=shift;
 	if (defined $user && $user =~ m/(.+)@/) {
@@ -1475,6 +1477,22 @@ sub emailuser ($) {
 	return;
 }
 
+# Some user information should not be exposed in commit metadata, etc.
+# This generates a cloaked form of such information.
+sub cloak ($) {
+	my $user=shift;
+	# cloak email address using http://xmlns.com/foaf/spec/#term_mbox_sha1sum
+	if ($user=~m/(.+)@/) {
+		my $nick=$1;
+		eval q{use Digest::SHA};
+		return $user if $@;
+		return $nick.'@'.Digest::SHA::sha1_hex("mailto:$user");
+	}
+	else {
+		return $user;
+	}
+}
+
 sub htmlize ($$$$) {
 	my $page=shift;
 	my $destpage=shift;

IkiWiki/CGI.pm

@@ -336,16 +336,19 @@ sub check_banned ($$) {
 
 	my $banned=0;
 	my $name=$session->param("name");
+	my $cloak=cloak($name) if defined $name;
 	if (defined $name && 
-	    grep { $name eq $_ } @{$config{banned_users}}) {
+	    grep { $name eq $_ || $cloak eq $_ } @{$config{banned_users}}) {
 		$banned=1;
 	}
 
 	foreach my $b (@{$config{banned_users}}) {
 		if (pagespec_match("", $b,
 			ip => $session->remote_addr(),
-			name => defined $name ? $name : "",
-		)) {
+			name => defined $name ? $name : "")
+		   || pagespec_match("", $b,
+		   	ip => cloak($session->remote_addr()),
+			name => defined $cloak ? $cloak : "")) {
 			$banned=1;
 			last;
 		}

IkiWiki/Plugin/bzr.pm

@@ -133,10 +133,10 @@ sub bzr_author ($) {
 	my $ipaddr=$session->remote_addr();
 
 	if (defined $user) {
-		return IkiWiki::possibly_foolish_untaint($user);
+		return IkiWiki::possibly_foolish_untaint(IkiWiki::cloak($user));
 	}
 	elsif (defined $ipaddr) {
-		return "Anonymous from ".IkiWiki::possibly_foolish_untaint($ipaddr);
+		return "Anonymous from ".IkiWiki::possibly_foolish_untaint(IkiWiki::cloak($ipaddr));
 	}
 	else {
 		return "Anonymous";

IkiWiki/Plugin/comments.pm

@@ -466,7 +466,7 @@ sub editcomment ($$) {
 	my $content = "[[!comment format=$type\n";
 
 	if (defined $session->param('name')) {
-		my $username = $session->param('name');
+		my $username = IkiWiki::cloak($session->param('name'));
 		$username =~ s/"/"/g;
 		$content .= " username=\"$username\"\n";
 	}
@@ -479,7 +479,7 @@ sub editcomment ($$) {
 
 	if (!(defined $session->param('name') || defined $session->param('nickname')) &&
 		defined $session->remote_addr()) {
-		$content .= " ip=\"".$session->remote_addr()."\"\n";
+		$content .= " ip=\"".IkiWiki::cloak($session->remote_addr())."\"\n";
 	}
 
 	if ($config{comments_allowauthor}) {

IkiWiki/Plugin/cvs.pm

@@ -456,12 +456,12 @@ sub commitmessage (@) {
 	if (defined $params{session}) {
 		if (defined $params{session}->param("name")) {
 			return "web commit by ".
-				$params{session}->param("name").
+				IkiWiki::cloak($params{session}->param("name")).
 				(length $params{message} ? ": $params{message}" : "");
 		}
 		elsif (defined $params{session}->remote_addr()) {
 			return "web commit from ".
-				$params{session}->remote_addr().
+				IkiWiki::cloak($params{session}->remote_addr()).
 				(length $params{message} ? ": $params{message}" : "");
 		}
 	}

IkiWiki/Plugin/darcs.pm

@@ -147,10 +147,10 @@ sub commitauthor (@) {
 	my $author="anon\@web";
 	if (defined $params{session}) {
 		if (defined $params{session}->param("name")) {
-			return $params{session}->param("name").'@web';
+			return IkiWiki::cloak($params{session}->param("name")).'@web';
 		}
 		elsif (defined $params{session}->remote_addr()) {
-			return $params{session}->remote_addr().'@web';
+			return IkiWiki::cloak($params{session}->remote_addr()).'@web';
 		}
 	}
 	return 'anon@web';

IkiWiki/Plugin/git.pm

@@ -579,7 +579,7 @@ sub rcs_commit_helper (@) {
 			$u=$params{session}->remote_addr();
 		}
 		if (defined $u) {
-			$u=encode_utf8($u);
+			$u=encode_utf8(IkiWiki::cloak($u));
 			$ENV{GIT_AUTHOR_NAME}=$u;
 		}
 		if (defined $params{session}->param("nickname")) {

IkiWiki/Plugin/mercurial.pm

@@ -183,10 +183,10 @@ sub rcs_commit_helper (@) {
 	my $user="Anonymous";
 	if (defined $params{session}) {
 		if (defined $params{session}->param("name")) {
-			$user = $params{session}->param("name");
+			$user = IkiWiki::cloak($params{session}->param("name"));
 		}
 		elsif (defined $params{session}->remote_addr()) {
-			$user = $params{session}->remote_addr();
+			$user = IkiWiki::cloak($params{session}->remote_addr());
 		}
 
 		my $nickname=$user;

IkiWiki/Plugin/monotone.pm

@@ -310,10 +310,10 @@ sub commitauthor (@) {
 
 	if (defined $params{session}) {
 		if (defined $params{session}->param("name")) {
-			return "Web user: " . $params{session}->param("name");
+			return "Web user: " . IkiWiki::cloak($params{session}->param("name"));
 		}
 		elsif (defined $params{session}->remote_addr()) {
-			return "Web IP: " . $params{session}->remote_addr();
+			return "Web IP: " . IkiWiki::cloak($params{session}->remote_addr());
 		}
 	}
 	return "Web: Anonymous";

IkiWiki/Plugin/svn.pm

@@ -147,12 +147,12 @@ sub commitmessage (@) {
 	if (defined $params{session}) {
 		if (defined $params{session}->param("name")) {
 			return "web commit by ".
-				$params{session}->param("name").
+				IkiWiki::cloak($params{session}->param("name")).
 				(length $params{message} ? ": $params{message}" : "");
 		}
 		elsif (defined $params{session}->remote_addr()) {
 			return "web commit from ".
-				$params{session}->remote_addr().
+				IkiWiki::cloak($params{session}->remote_addr()).
 				(length $params{message} ? ": $params{message}" : "");
 		}
 	}

IkiWiki/Plugin/tla.pm

@@ -108,12 +108,12 @@ sub rcs_commit (@) {
 	if (defined $params{session}) {
 		if (defined $params{session}->param("name")) {
 			$message="web commit by ".
-				$params{session}->param("name").
+				IkiWiki::cloak($params{session}->param("name")).
 				(length $message ? ": $message" : "");
 		}
 		elsif (defined $params{session}->remote_addr()) {
 			$message="web commit from ".
-				$params{session}->remote_addr().
+				IkiWiki::cloak($params{session}->remote_addr()).
 				(length $message ? ": $message" : "");
 		}
 	}

doc/banned_users.mdwn

@@ -8,3 +8,7 @@ For example:
 
 If a banned user attempts to use the ikiwiki CGI, they will receive a 403
 Forbidden webpage indicating they are banned.
+
+Note that when [[plugins/emailauth]] is used, the user's email address
+is displayed in cloaked form in commits of their edits. This cloaked email
+address can be used as-is in the `banned_users` setting.

doc/plugins/emailauth.mdwn

@@ -11,8 +11,10 @@ some other form of authentication, such as [[passwordauth]] or [[openid]].
 Users who have logged in using emailauth will have their email address used as
 their username. In places where the username is displayed, like the
 RecentChanges page, the domain will be omitted, to avoid exposing the
-user's email address. Note though that the email address will be visible
-when looking at eg, commits in the git repository.
+user's email address. In places where the full username needs to be put,
+like commits of changes, the email address is cloaked using
+<a href="http://xmlns.com/foaf/spec/#term_mbox_sha1sum">the
+foaf:mbox_sha1sum spec</a>.
 
 This plugin needs the [[!cpan Mail::SendMail]] perl module installed,
 and able to send outgoing email.

doc/todo/emailauth.mdwn

@@ -131,4 +131,6 @@ Thoughts anyone? --[[Joey]]
 >>> from `smcv <smcv@debian.org>` - if the hash is of `mailto:whatever`
 >>> (like my example one) then it's compatible with
 >>> [FOAF](http://xmlns.com/foaf/spec/#term_mbox_sha1sum).
->>> --[[smcv]]
+>>> --[[smcv]]a
+
+>>> Email addresses are now cloaked in commits, using foaf:mbox_sha1sum. --[[Joey]]