Drupal 6.9, phpmailer 6.x-2.0-alpha2

I had about 15 administrator-created users in a blocked status, and changed all of them at once to an active status. These users had been created in a blocked status and never had an opportunity to log in.

What seems to happen - as one of my email accounts was on the list - is that every user got a login invitation (with a !login_url link) for himself and every other user that was unblocked in that shot.

The effect is of course unexpected and gives an absolutely untrustworthy impression of the site doing such foolish things.

I don't make this a critical bug only because I am willing to activate 15 users one at a time. A site with a larger number of users *would* see it as critical ... and because of the security implications, I report it also to the Drupal security team.



Sorry to have missed that one : in my configuration, phpmailer is extended by phpMailer v2.3


Status:Active» Closed (fixed)

Finally found the culprit.
When mails are issued in rapid succession, like when notifying users of the administrator having blocked or unblocked them, the code in phpmailer kept adding the successive recipients as *To:" adresses to each mail, without ever clearing the array containing the reciipents.

There are two ways to cure the problem :
1. Tick the "Keep connection alive" in Site configuration >> Mail >> Advanced SMTP settings.
2. Apply the attached patch to phpmailer/includes/phpmailer.drupal.inc .



Status:Closed (fixed)» Fixed

Status:Fixed» Active

Sorry, drupal.org undergoes a major upgrade since yesterday. Your patch didn't make it into the issue. Please attach again (or try again tomorrow).

new857 bytes

As requested, the patch that fixed my problem.



Status:Active» Needs review

Status:Needs review» Needs work

Patch looks good - but both conditions do the same now. Can we just replace the entire if/else statement and add the explanation, please?

Status:Needs work» Needs review
new838 bytes

I was suffering from this issue since long time ago. I've even changed smtp provider in attempt to fix this problem.

Changed the patch to remove the conditions.

Tested on 5.2 and it works.

Attached patch is for DRUPAL-5--2 branch.

Will submit patch for 6.

new713 bytes

Here is the patch for HEAD.

Title:Activating several blocked users at once results in cross-mailing Emails are getting sent to multiple recipients
Priority:Normal» Critical

Changing title.
Bumping to critical.

Status:Needs review» Fixed

Committed to both branches without testing.

Status:Fixed» Closed (fixed)
Issue tags:-cross-mailing

Automatically closed -- issue fixed for 2 weeks with no activity.