Incorrect Verification Code - Double Encoded #3393

Closed
shefik opened this Issue Jan 18, 2017 · 4 comments

Projects

None yet

2 participants

@shefik
Contributor
shefik commented Jan 18, 2017
Q A
Zikula Version 1.4.6
PHP Version 5.6

Expected behavior

The correct verification should display

Actual behavior

When a new user registers, the welcome email gets sent with the URL to click. The verification code is appended to the URL as url_encode. However, the verification code in the URL is double-encoded. Therefore, when clicking the URL, the form is auto-populated from the parameter, with an incorrect single-decoded verification code

Example URL: http://example.com/zauth/verify-registration/2wd321/%2529%25242Mf
Expected URL: http://example.com/zauth/verify-registration/2wd321/%29%242Mf
Expected Verification Code When Form is Auto-Populated: )$2Mf

Steps to reproduce

Register a new user. Receive the welcome email. Click the URL to verify your account.

@Guite Guite added the Bug label Jan 18, 2017
@Guite Guite added this to the 1.4.6 milestone Jan 18, 2017
@Guite Guite added the unconfirmed label Jan 18, 2017
@Guite
Member
Guite commented Jan 18, 2017

Didn't see this before. Could it be that you viewed the html email using a text mode in your email client? In my email client I see all html emails encoded until I explictly allow the html view.

@shefik
Contributor
shefik commented Jan 18, 2017

I think the email came as plain text. But on a Mac, Apple Mail transforms URLs automatically as clickable.

@Guite
Member
Guite commented Jan 18, 2017

I think the emails come as multipart containing both html and plain text versions.

@Guite Guite removed the unconfirmed label Jan 20, 2017
@Guite
Member
Guite commented Jan 20, 2017

This is indeed a problem.
Example code: *EKQH
Shown in the linked url as: zauth/verify-registration/username/%252AEKQH
Shown in the form input field as: %2AEKQH

@Guite Guite added the Blocker label Jan 20, 2017
@Guite Guite closed this in #3423 Jan 30, 2017
@Guite Guite added a commit that referenced this issue Jan 30, 2017
@craigh @Guite craigh + Guite remove layer of url_encoding fixes #3393 (#3423)
* remove layer of url_encoding fixxes #3393

* changelog
3419d61
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment