Drupal 6.9, phpmailer 6.x-2.0-alpha2

I had about 15 administrator-created users in a blocked status, and changed all of them at once to an active status. These users had been created in a blocked status and never had an opportunity to log in.

What seems to happen - as one of my email accounts was on the list - is that every user got a login invitation (with a !login_url link) for himself and every other user that was unblocked in that shot.

The effect is of course unexpected and gives an absolutely untrustworthy impression of the site doing such foolish things.

I don't make this a critical bug only because I am willing to activate 15 users one at a time. A site with a larger number of users *would* see it as critical ... and because of the security implications, I report it also to the Drupal security team.

-ungeek-

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dimmie’s picture

Sorry to have missed that one : in my configuration, phpmailer is extended by phpMailer v2.3

Regards.

dimmie’s picture

Status: Active » Closed (fixed)

Finally found the culprit.
When mails are issued in rapid succession, like when notifying users of the administrator having blocked or unblocked them, the code in phpmailer kept adding the successive recipients as *To:" adresses to each mail, without ever clearing the array containing the reciipents.

There are two ways to cure the problem :
1. Tick the "Keep connection alive" in Site configuration >> Mail >> Advanced SMTP settings.
2. Apply the attached patch to phpmailer/includes/phpmailer.drupal.inc .

Regards.

-ungeek-

dimmie’s picture

Status: Closed (fixed) » Fixed
sun’s picture

Status: Fixed » Active

Sorry, drupal.org undergoes a major upgrade since yesterday. Your patch didn't make it into the issue. Please attach again (or try again tomorrow).

dimmie’s picture

FileSize
857 bytes

As requested, the patch that fixed my problem.

Regards.

-ungeek-

sun’s picture

Status: Active » Needs review
sun’s picture

Status: Needs review » Needs work

Patch looks good - but both conditions do the same now. Can we just replace the entire if/else statement and add the explanation, please?

recidive’s picture

Status: Needs work » Needs review
FileSize
838 bytes

I was suffering from this issue since long time ago. I've even changed smtp provider in attempt to fix this problem.

Changed the patch to remove the conditions.

Tested on 5.2 and it works.

Attached patch is for DRUPAL-5--2 branch.

Will submit patch for 6.

recidive’s picture

FileSize
713 bytes

Here is the patch for HEAD.

recidive’s picture

Title: Activating several blocked users at once results in cross-mailing » Emails are getting sent to multiple recipients
Priority: Normal » Critical

Changing title.
Bumping to critical.

sun’s picture

Status: Needs review » Fixed

Committed to both branches without testing.

Status: Fixed » Closed (fixed)
Issue tags: -cross-mailing

Automatically closed -- issue fixed for 2 weeks with no activity.