Hi webform maintainers,

After the 6x-3.20 security update, the webform module is seemingly malfunctioning. The primary issue is that upon webform submission, the email it sends to the site owner no longer includes the webform email address field as the "from address," instead defaulting to the default server email address, so when the site owner attempts to reply to a customer inquiry, the customer's email address is not set as the sender, but rather, a default server email. As such, they get an undeliverable mail error, and are forced to manually paste the "from address" from included email values in order to reply to the customer. Before this update, the module worked perfectly and no other changes were made.

As I've gone about debugging things, I notice no errors in the system log, and I've attempted to print $_POST values from the form after submission. However, $_POST seems to be blank, as do the email fields after submission (email field data saves to the database, but I can't seem to access it outside of that method). I'm wondering, that since the security update was for an XSS vulnerability, if the email values are being stripped out outside of what's saved in the webform table, thus preventing the email field from being added to the headers of the mail when it's sent to the site owner.

Any thoughts would be greatly appreciated; if more info is needed please let me know and I will provide it.

Thank you.

Comments

tripodcreative’s picture

Update: I am also investigating things serverside in case an update to the server is screwing with the headers on send. I will follow up with any findings in this regard.

quicksketch’s picture

Status: Active » Postponed (maintainer needs more info)

I'm wondering, that since the security update was for an XSS vulnerability, if the email values are being stripped out outside of what's saved in the webform table, thus preventing the email field from being added to the headers of the mail when it's sent to the site owner.

The XSS update shouldn't affect anything about the way Webform saves data or sends e-mail. The only thing it did was wrap the output of an error message in check_plain().

There were a dozen other changes in the 3.20 release not related to the security fix (https://drupal.org/node/2194181) but none of them seem related to e-mail headers either. To narrow down the possibilities, it'd be helpful if you could create a new form, add an e-mail to it with a custom from address, and see if it functions correctly. In my testing, I couldn't reproduce any problem with the From address/name being incorrect when using a custom manually typed value or when using a component value.

tripodcreative’s picture

Quicksketch -

Thanks for getting back to me so quickly. I'm going to rule out server problems first and then go through those steps. If the server ends up being the culprit, I'll post what I can in case someone else has this problem. If not, I'll be in reply with more information.

TC

DanChadwick’s picture

Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

Closed for presumption of cause outside of webform