Email problem

levitt1313 · 09-28-2016, 03:32 PM

Just updated to 4.1.5 the other day and testing everything out. From the login page if you click forgot password under help dropdown and then put in a valid email that is in the database , this is the message I get.

2016-09-28 17:19:12 Invalid address: (addAnAddress to): quest{3bc1fe685386cc4c3ab89a3f76566d8931e181ad17f08aed9ad73b30bf28114d}40hsrc.unc.edu

the first part of the email, (quest) is made up, everything after is valid and should be @hsrc.unc.edu
Double checked that the email is set for one of my users. Any help would be appreciated

brian · 09-28-2016, 03:48 PM

I know what the issue is, just drafting the correction then I will post here.

brian · 09-28-2016, 03:50 PM

This should be the fix for forgot_password.php. Try it, and let me know, there may be other fixes if this resolves your issue.

Change line 49 from:
'email' => $email,
To:
'email' => rawurlencode($email),

Change line 55 from:
$email_sent=email($encoded_email,$subject,$body);
To:
$email_sent=email($email,$subject,$body);

the function rawurlencode() was applied in the wrong place.

brian · 09-28-2016, 03:54 PM

Sorry, that doesn't quite do it...still encoded incorrectly...

You then need to go into users/views/_email_template_forgot_password.php and remove the urlencode() from the $email variable, on line 15.

levitt1313 · 09-28-2016, 09:01 PM

Hey Brian, thanks for the quick response, really appreciated. I will try that fix first thing in the am. Was this caused by the update??

brian · 09-28-2016, 09:02 PM

Not caused by update directly. It was a "fix" for another issue that just wasn't done right Big Grin

levitt1313 · 09-28-2016, 09:04 PM

Damn your are fast, thanks again for your help with this.

brian · 09-28-2016, 09:05 PM

Not a problem. Report back if other issues seem to exist.

levitt1313 · 09-29-2016, 09:13 AM

Hey Brian, The fix did not work for me. What worked was just changing line 53 in forgot_password.php from
$encoded_email=rawurlencode($email); to $encoded_email=$email; I left everything else the the way it was and when I received the email I could see that the email address in the link was url encoded correctly. By removing the rawurlencode for the email, isn't that removing the security for the forgot password form and could't someone try to pass in some scripting?

brian · 09-29-2016, 02:51 PM

The change you made should be fine. We will make sure we get them rolled into the next 4.x release.

The part you removed the rawurlencode() from is the "to" field of the email. For PHPMailer to parse it correctly, it needs to have the @ in there correctly rather than url encoded. The email template also used urlencode() which with the changes you've implemented just needs to be changed to rawurlencode().

The fix I posted worked on my copy. Not sure why it wouldn't have worked on yours...that's the more peculiar part.

Login




Remember me Lost Password?