View Issue Details

IDProjectCategoryView StatusLast Update
0018880phplist applicationEmailpublic29-09-17 07:36
Reportersamtuke 
PrioritynormalSeverityminorReproducibilityN/A
Status assignedResolutionopen 
Product Version 
Target Version3.3.3Fixed in Version 
Summary0018880: Include a space after URL placeholders to avoid invalid user id / malformed URLs
DescriptionCurrently it is possible to send malformed URLs in email notifications, for example for confirmation emails sent to subscribers, if the email text does not include a space after the placeholder used for printing the URL.

For example, on the settings page, setting the value of this field: "Message subscribers receive when they sign up" to include "Welcome, click here [CONFIRMATIONURL]!" (note the trailing exclamation mark) will result in an unrecognised user ID when the link is clicked (and by extension, it will be impossible for subscribers to join the list).

To remedy this issue, I propose adding a mandatory space after placeholder URLs so that text set by administrators cannot prevent the links from working.
TagsNo tags attached.

Activities

duncanc

28-09-17 16:57

developer   ~0059445

Presumably this applies only to text format emails, not html.
Is the problem that the ! is treated as part of the confirmation url? If so, then that might depend on the email client being used. In Thunderbird it is not treated as part of the url - see the screenshot. If instead I encoded the ! as %21 then that is treated as part of the url - see the second screenshot.

duncanc

28-09-17 16:58

developer  

samtuke

28-09-17 18:48

administrator   ~0059446

The issue was spotted in a confirmation email, in HTML, viewed in Thunderbird. The message source was:

[plain text]
Dann klick doch hier:=0Ahttp://S=
isyphos.hosted.phplist.com/lists/?p=3Dconfirm&uid=3Da126b2b2263a0aa3f79cb1c=
f437fda7d!

[html]
Dann klick doch hier: <a href=3D"http://Sisyphos.hosted.phpli=
st.com/lists/?p=3Dconfirm&uid=3Da126b2b2263a0aa3f79cb1cf437fda7d!">http://S=
isyphos.hosted.phplist.com/lists/?p=3Dconfirm&uid=3Da126b2b2263a0aa3f79cb1c=
f437fda7d!</a>

Rendering in Thunderbird is attached.

Selection_298.png (52,863 bytes)
Selection_298.png (52,863 bytes)

duncanc

28-09-17 20:26

developer   ~0059447

Ah I see. It is a problem with converting the confirmation request (entered on the subscribe page) from plain text to html.

See function constructSystemMail() in file lib.php. This regex to find urls for converting to html a elements is too loose. It is taking everything up to the next space or '<' character, so includes the '!' in the problem email.

        $htmlmessage = preg_replace('~https?://[^\s<]+~i', '$0', $htmlmessage);

duncanc

29-09-17 06:56

developer   ~0059461

Search results provide several regular expressions to convert urls to links, most of which look overly complicated. This one has a reasonably simple function that could be modified

https://github.com/misd-service-development/php-linkify/blob/3481b148806a23b4001712de645247a1a4dcc10a/src/Misd/Linkify/Linkify.php#L131

It does handle the original problem, excluding the trailing ! from the url.

samtuke

29-09-17 07:36

administrator   ~0059462

That looks like a good solution. What about the plain text links - did your mail client not include the exclamation mark in the clickable link as well?