Invalid uri in the password recovery mail
If the user address email contain some characters like '+' (say foo+bar@domain), the link used to recover the password will contain '&address_mail=foo+bar@domain'. The recovery process will work except that the confirmation mail will be sent to 'foo' and 'bar@domain' due to the uri being badly encoded. Of course, this also means that the mail won't probably reach user's mailbox.
A possible fix is:
diff --git a/html/class_passwordRecovery.inc b/html/class_passwordRecovery.inc index 8ad8b69..c090d10 100644 --- a/html/class_passwordRecovery.inc +++ b/html/class_passwordRecovery.inc @@ -544,7 +544,7 @@ class passwordRecovery { $reinit_link = $this->getPageURL(); $reinit_link .= "?uniq=".$activatecode; $reinit_link .= "&uid=".$this->uid; - $reinit_link .= "&address_mail=".$this->address_mail; + $reinit_link .= "&address_mail=".urlencode($this->address_mail); @DEBUG(DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $reinit_link, "Setting link to");
(from redmine: issue id 3551, created on 2015-01-27, closed on 2015-01-28)
- Changesets:
- Revision 482e6a81 by Côme Chilliet on 2015-01-27T13:45:48.000Z:
Fixes #3551 Invalid uri in the password recovery mail
- Revision e5746981 by Côme Chilliet on 2015-01-27T13:46:02.000Z:
Fixes #3551 Invalid uri in the password recovery mail
- Custom Fields:
- Bug in version: 1.0.8.2
- Uploads: