Drupal 6.9, phpmailer 6.x-2.0-alpha2
I had about 15 administrator-created users in a blocked status, and changed all of them at once to an active status. These users had been created in a blocked status and never had an opportunity to log in.
What seems to happen - as one of my email accounts was on the list - is that every user got a login invitation (with a !login_url link) for himself and every other user that was unblocked in that shot.
The effect is of course unexpected and gives an absolutely untrustworthy impression of the site doing such foolish things.
I don't make this a critical bug only because I am willing to activate 15 users one at a time. A site with a larger number of users *would* see it as critical ... and because of the security implications, I report it also to the Drupal security team.
-ungeek-
Comment | File | Size | Author |
---|---|---|---|
#9 | phpmailer_multipl_tos_6.patch | 713 bytes | recidive |
#8 | phpmailer_multipl_tos.patch | 838 bytes | recidive |
#5 | phpmailer.patch | 857 bytes | dimmie |
Comments
Comment #1
dimmie CreditAttribution: dimmie commentedSorry to have missed that one : in my configuration, phpmailer is extended by phpMailer v2.3
Regards.
Comment #2
dimmie CreditAttribution: dimmie commentedFinally found the culprit.
When mails are issued in rapid succession, like when notifying users of the administrator having blocked or unblocked them, the code in phpmailer kept adding the successive recipients as *To:" adresses to each mail, without ever clearing the array containing the reciipents.
There are two ways to cure the problem :
1. Tick the "Keep connection alive" in Site configuration >> Mail >> Advanced SMTP settings.
2. Apply the attached patch to phpmailer/includes/phpmailer.drupal.inc .
Regards.
-ungeek-
Comment #3
dimmie CreditAttribution: dimmie commentedComment #4
sunSorry, drupal.org undergoes a major upgrade since yesterday. Your patch didn't make it into the issue. Please attach again (or try again tomorrow).
Comment #5
dimmie CreditAttribution: dimmie commentedAs requested, the patch that fixed my problem.
Regards.
-ungeek-
Comment #6
sunComment #7
sunPatch looks good - but both conditions do the same now. Can we just replace the entire if/else statement and add the explanation, please?
Comment #8
recidive CreditAttribution: recidive commentedI was suffering from this issue since long time ago. I've even changed smtp provider in attempt to fix this problem.
Changed the patch to remove the conditions.
Tested on 5.2 and it works.
Attached patch is for DRUPAL-5--2 branch.
Will submit patch for 6.
Comment #9
recidive CreditAttribution: recidive commentedHere is the patch for HEAD.
Comment #10
recidive CreditAttribution: recidive commentedChanging title.
Bumping to critical.
Comment #11
sunCommitted to both branches without testing.