Fix link for read or unsubscribe must use a unique hash
This commit is contained in:
Laurent Destailleur
parent
926d88ede6
commit
4068b1db87
@ -155,7 +155,7 @@ if (!empty($conf->global->MAILING_EMAIL_ERRORSTO) && !isValidEmail($conf->global
|
||||
print ' '.img_warning($langs->trans("BadEMail"));
|
||||
}
|
||||
print '</td>';
|
||||
print '<td class="hideonsmartphone"><span class="opacitymedium">webmaster@example.com></span></td>';
|
||||
print '<td class="hideonsmartphone"><span class="opacitymedium">'.dol_escape_htmltag('<webmaster@example.com>').'</span></td>';
|
||||
print '</tr>';
|
||||
|
||||
print '<tr class="oddeven"><td>';
|
||||
|
||||
@ -48,13 +48,14 @@ if ($action == 'test' || ($action == 'send' && $trackid = 'test')) {
|
||||
|
||||
$substitutionarrayfortest = array(
|
||||
'__DOL_MAIN_URL_ROOT__'=>DOL_MAIN_URL_ROOT,
|
||||
'__CHECK_READ__' => (!empty($object) && is_object($object) && is_object($object->thirdparty)) ? '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.$object->thirdparty->tag.'&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'" width="1" height="1" style="width:1px;height:1px" border="0"/>' : '',
|
||||
'__CHECK_READ__' => '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag=undefinedtag&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-undefinedtag", 'md5').'" width="1" height="1" style="width:1px;height:1px" border="0" />',
|
||||
'__USER_LOGIN__' => $user->login,
|
||||
'__USER_EMAIL__' => $user->email,
|
||||
'__USER_SIGNATURE__' => (($user->signature && empty($conf->global->MAIN_MAIL_DO_NOT_USE_SIGN)) ? $usersignature : ''), // Done into actions_sendmails
|
||||
'__SENDEREMAIL_SIGNATURE__' => (($user->signature && empty($conf->global->MAIN_MAIL_DO_NOT_USE_SIGN)) ? $usersignature : ''), // Done into actions_sendmails
|
||||
'__ID__' => 'RecipientIdRecord',
|
||||
//'__EMAIL__' => 'RecipientEMail', // Done into actions_sendmails
|
||||
'__LOGIN__' => $user->login,
|
||||
'__LASTNAME__' => 'RecipientLastname',
|
||||
'__FIRSTNAME__' => 'RecipientFirstname',
|
||||
'__ADDRESS__'=> 'RecipientAddress',
|
||||
|
||||
@ -42,11 +42,13 @@ if ($action == 'test' || $action == 'send') {
|
||||
|
||||
$substitutionarrayfortest = array(
|
||||
'__DOL_MAIN_URL_ROOT__'=>DOL_MAIN_URL_ROOT,
|
||||
'__ID__' => 'RecipientIdRecord',
|
||||
//'__EMAIL__' => 'RecipientEMail', // Done into actions_sendmails
|
||||
'__CHECK_READ__' => (!empty($object) && is_object($object) && is_object($object->thirdparty)) ? '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.$object->thirdparty->tag.'&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'" width="1" height="1" style="width:1px;height:1px" border="0"/>' : '',
|
||||
'__CHECK_READ__' => '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag=undefinedtag&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-undefinedtag", 'md5').'" width="1" height="1" style="width:1px;height:1px" border="0"/>',
|
||||
'__USER_LOGIN__' => $user->login,
|
||||
'__USER_EMAIL__' => $user->email,
|
||||
'__USER_SIGNATURE__' => (($user->signature && empty($conf->global->MAIN_MAIL_DO_NOT_USE_SIGN)) ? $usersignature : ''), // Done into actions_sendmails
|
||||
'__SENDEREMAIL_SIGNATURE__' => (($user->signature && empty($conf->global->MAIN_MAIL_DO_NOT_USE_SIGN)) ? $usersignature : ''), // Done into actions_sendmails
|
||||
'__ID__' => 'RecipientIdRecord',
|
||||
//'__EMAIL__' => 'RecipientEMail', // Done into actions_sendmails
|
||||
'__LOGIN__' => $user->login,
|
||||
'__LASTNAME__' => 'RecipientLastname',
|
||||
'__FIRSTNAME__' => 'RecipientFirstname',
|
||||
|
||||
@ -248,9 +248,9 @@ if (empty($reshook)) {
|
||||
$substitutionarray['__OTHER5__'] = $other5;
|
||||
$substitutionarray['__USER_SIGNATURE__'] = $signature; // Signature is empty when ran from command line or taken from user in parameter)
|
||||
$substitutionarray['__SENDEREMAIL_SIGNATURE__'] = $signature; // Signature is empty when ran from command line or taken from user in parameter)
|
||||
$substitutionarray['__CHECK_READ__'] = '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.urlencode($obj->tag).'&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->email).'&mtid='.$obj->rowid.'" width="1" height="1" style="width:1px;height:1px" border="0"/>';
|
||||
$substitutionarray['__UNSUBSCRIBE__'] = '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->email).'&mtid='.$obj->rowid.'" target="_blank" rel="noopener noreferrer">'.$langs->trans("MailUnsubcribe").'</a>';
|
||||
$substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->email).'&mtid='.$obj->rowid;
|
||||
$substitutionarray['__CHECK_READ__'] = '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.urlencode($obj->tag).'&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY.'-'.$obj->tag.'-'.$obj->email.'-'.$obj->rowid, "md5").'&email='.urlencode($obj->email).'&mtid='.((int) $obj->rowid).'" width="1" height="1" style="width:1px;height:1px" border="0"/>';
|
||||
$substitutionarray['__UNSUBSCRIBE__'] = '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY.'-'.$obj->tag.'-'.$obj->email.'-'.$obj->rowid, "md5").'&email='.urlencode($obj->email).'&mtid='.((int) $obj->rowid).'" target="_blank" rel="noopener noreferrer">'.$langs->trans("MailUnsubcribe").'</a>';
|
||||
$substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY.'-'.$obj->tag.'-'.$obj->email.'-'.$obj->rowid, "md5").'&email='.urlencode($obj->email).'&mtid='.((int) $obj->rowid);
|
||||
|
||||
$onlinepaymentenabled = 0;
|
||||
if (isModEnabled('paypal')) {
|
||||
@ -480,9 +480,9 @@ if (empty($reshook)) {
|
||||
// other are set at begin of page
|
||||
$substitutionarray['__EMAIL__'] = $object->sendto;
|
||||
$substitutionarray['__MAILTOEMAIL__'] = '<a href="mailto:'.$object->sendto.'">'.$object->sendto.'</a>';
|
||||
$substitutionarray['__CHECK_READ__'] = '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag=undefinedintestmode&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->sendto).'&mtid=0" width="1" height="1" style="width:1px;height:1px" border="0"/>';
|
||||
$substitutionarray['__UNSUBSCRIBE__'] = '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag=undefinedintestmode&unsuscrib=1&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->sendto).'&mtid=0" target="_blank" rel="noopener noreferrer">'.$langs->trans("MailUnsubcribe").'</a>';
|
||||
$substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag=undefinedintestmode&unsuscrib=1&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->sendto).'&mtid=0';
|
||||
$substitutionarray['__CHECK_READ__'] = '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag=undefinedintestmode&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-undefinedintestmode-".$obj->sendto."-0", 'md5').'&email='.urlencode($obj->sendto).'&mtid=0" width="1" height="1" style="width:1px;height:1px" border="0"/>';
|
||||
$substitutionarray['__UNSUBSCRIBE__'] = '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag=undefinedintestmode&unsuscrib=1&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-undefinedintestmode-".$obj->sendto."-0", 'md5').'&email='.urlencode($obj->sendto).'&mtid=0" target="_blank" rel="noopener noreferrer">'.$langs->trans("MailUnsubcribe").'</a>';
|
||||
$substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag=undefinedintestmode&unsuscrib=1&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-undefinedintestmode-".$obj->sendto."-0", 'md5').'&email='.urlencode($obj->sendto).'&mtid=0';
|
||||
|
||||
// Subject and message substitutions
|
||||
complete_substitutions_array($substitutionarray, $langs, $targetobject);
|
||||
|
||||
@ -469,7 +469,7 @@ if (!$error && $massaction == 'confirm_presend') {
|
||||
$substitutionarray['__ID__'] = ($oneemailperrecipient ? join(', ', array_keys($listofqualifiedobj)) : $objecttmp->id);
|
||||
$substitutionarray['__REF__'] = ($oneemailperrecipient ? join(', ', $listofqualifiedref) : $objecttmp->ref);
|
||||
$substitutionarray['__EMAIL__'] = $thirdparty->email;
|
||||
$substitutionarray['__CHECK_READ__'] = '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.urlencode($thirdparty->tag).'&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'" width="1" height="1" style="width:1px;height:1px" border="0"/>';
|
||||
$substitutionarray['__CHECK_READ__'] = '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag=undefined&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-undefined", 'md5').'" width="1" height="1" style="width:1px;height:1px" border="0"/>';
|
||||
|
||||
$parameters = array('mode'=>'formemail');
|
||||
|
||||
|
||||
@ -346,7 +346,7 @@ if (($action == 'send' || $action == 'relance') && !GETPOST('addfile') && !GETPO
|
||||
// Make substitution in email content
|
||||
$substitutionarray = getCommonSubstitutionArray($langs, 0, null, $object);
|
||||
$substitutionarray['__EMAIL__'] = $sendto;
|
||||
$substitutionarray['__CHECK_READ__'] = (is_object($object) && is_object($object->thirdparty)) ? '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.urlencode($object->thirdparty->tag).'&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'" width="1" height="1" style="width:1px;height:1px" border="0"/>' : '';
|
||||
$substitutionarray['__CHECK_READ__'] = (is_object($object) && is_object($object->thirdparty)) ? '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag=undefined&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-undefined", 'md5').'" width="1" height="1" style="width:1px;height:1px" border="0"/>' : '';
|
||||
|
||||
$parameters = array('mode'=>'formemail');
|
||||
complete_substitutions_array($substitutionarray, $langs, $object, $parameters);
|
||||
|
||||
@ -282,7 +282,7 @@ if ($massaction == 'presend') {
|
||||
$substitutionarray = getCommonSubstitutionArray($langs, 0, null, $object);
|
||||
|
||||
$substitutionarray['__EMAIL__'] = $sendto;
|
||||
$substitutionarray['__CHECK_READ__'] = (is_object($object) && is_object($object->thirdparty)) ? '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.urlencode($object->thirdparty->tag).'&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'" width="1" height="1" style="width:1px;height:1px" border="0"/>' : '';
|
||||
$substitutionarray['__CHECK_READ__'] = '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag=undefined&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-undefined", 'md5').'" width="1" height="1" style="width:1px;height:1px" border="0"/>';
|
||||
$substitutionarray['__PERSONALIZED__'] = ''; // deprecated
|
||||
$substitutionarray['__CONTACTCIVNAME__'] = '';
|
||||
|
||||
|
||||
@ -191,7 +191,6 @@ if (!$error && $massaction == 'confirm_presend_attendees') {
|
||||
}
|
||||
$substitutionarray['__EVENTORGANIZATION_ICS_LINK__'] = $html_link;
|
||||
$substitutionarray['__EVENTORGANIZATION_URL_LINK__'] = $url_link;
|
||||
$substitutionarray['__CHECK_READ__'] = '<img src="' . DOL_MAIN_URL_ROOT . '/public/emailing/mailing-read.php?tag=' . urlencode($attendees->thirdparty->tag) . '&securitykey=' . urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY) . '" width="1" height="1" style="width:1px;height:1px" border="0"/>';
|
||||
|
||||
$parameters = array('mode' => 'formemail');
|
||||
|
||||
|
||||
@ -85,17 +85,17 @@ $securitykey = GETPOST('securitykey');
|
||||
|
||||
dol_syslog("public/emailing/mailing-read.php : tag=".$tag." securitykey=".$securitykey, LOG_DEBUG);
|
||||
|
||||
if ($securitykey != $conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY) {
|
||||
if ($securitykey != dol_hash(getDolGlobalString('MAILING_EMAIL_UNSUBSCRIBE_KEY')."-".$tag."-".$email."-".$mtid, 'md5')) {
|
||||
print 'Bad security key value.';
|
||||
exit;
|
||||
}
|
||||
|
||||
if (!empty($tag)) {
|
||||
if (!empty($tag) && $tag != 'undefined') {
|
||||
dol_syslog("public/emailing/mailing-read.php : Update status of email target and thirdparty for tag ".$tag, LOG_DEBUG);
|
||||
|
||||
$sql = "SELECT mc.rowid, mc.email, mc.statut, mc.source_type, mc.source_id, m.entity";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc, ".MAIN_DB_PREFIX."mailing as m";
|
||||
$sql .= " WHERE mc.fk_mailing = m.rowid AND mc.tag='".$db->escape($tag)."'";
|
||||
$sql .= " WHERE mc.fk_mailing = m.rowid AND mc.tag = '".$db->escape($tag)."'";
|
||||
|
||||
$resql = $db->query($sql);
|
||||
if (!$resql) dol_print_error($db);
|
||||
|
||||
@ -61,6 +61,8 @@ global $user, $conf, $langs;
|
||||
|
||||
$langs->loadLangs(array("main", "mails"));
|
||||
|
||||
$mtid = GETPOST('mtid');
|
||||
$email = GETPOST('email');
|
||||
$tag = GETPOST('tag'); // To retreive the emailing, and recipient
|
||||
$unsuscrib = GETPOST('unsuscrib');
|
||||
$securitykey = GETPOST('securitykey');
|
||||
@ -70,9 +72,9 @@ $securitykey = GETPOST('securitykey');
|
||||
* Actions
|
||||
*/
|
||||
|
||||
dol_syslog("public/emailing/mailing-read.php : tag=".$tag." securitykey=".$securitykey, LOG_DEBUG);
|
||||
dol_syslog("public/emailing/mailing-unsubscribe.php : tag=".$tag." securitykey=".$securitykey, LOG_DEBUG);
|
||||
|
||||
if ($securitykey != getDolGlobalString('MAILING_EMAIL_UNSUBSCRIBE_KEY')) {
|
||||
if ($securitykey != dol_hash(getDolGlobalString('MAILING_EMAIL_UNSUBSCRIBE_KEY')."-".$tag."-".$email."-".$mtid, 'md5')) {
|
||||
print 'Bad security key value.';
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -229,9 +229,9 @@ if ($resql) {
|
||||
$substitutionarray['__OTHER5__'] = $other5;
|
||||
$substitutionarray['__USER_SIGNATURE__'] = $signature; // Signature is empty when ran from command line or taken from user in parameter)
|
||||
$substitutionarray['__SIGNATURE__'] = $signature; // For backward compatibility
|
||||
$substitutionarray['__CHECK_READ__'] = '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.urlencode($obj->tag).'&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->email).'&mtid='.$obj->rowid.'" width="1" height="1" style="width:1px;height:1px" border="0"/>';
|
||||
$substitutionarray['__UNSUBSCRIBE__'] = '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->email).'&mtid='.$obj->rowid.'" target="_blank">'.$langs->trans("MailUnsubcribe").'</a>';
|
||||
$substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->email).'&mtid='.$obj->rowid;
|
||||
$substitutionarray['__CHECK_READ__'] = '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.urlencode($obj->tag).'&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-".$obj->tag."-".$obj->email."-".$obj->rowid, "md5").'&email='.urlencode($obj->email).'&mtid='.((int) $obj->rowid).'" width="1" height="1" style="width:1px;height:1px" border="0"/>';
|
||||
$substitutionarray['__UNSUBSCRIBE__'] = '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-".$obj->tag."-".$obj->email."-".$obj->rowid, "md5").'&email='.urlencode($obj->email).'&mtid='.((int) $obj->rowid).'" target="_blank">'.$langs->trans("MailUnsubcribe").'</a>';
|
||||
$substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-".$obj->tag."-".$obj->email."-".$obj->rowid, "md5").'&email='.urlencode($obj->email).'&mtid='.((int) $obj->rowid);
|
||||
|
||||
$onlinepaymentenabled = 0;
|
||||
if (!empty($conf->paypal->enabled)) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user