';
diff --git a/htdocs/admin/mails.php b/htdocs/admin/mails.php
index e9a8132188c..06f4dfdea85 100644
--- a/htdocs/admin/mails.php
+++ b/htdocs/admin/mails.php
@@ -48,13 +48,14 @@ if ($action == 'test' || ($action == 'send' && $trackid = 'test')) {
$substitutionarrayfortest = array(
'__DOL_MAIN_URL_ROOT__'=>DOL_MAIN_URL_ROOT,
- '__CHECK_READ__' => (!empty($object) && is_object($object) && is_object($object->thirdparty)) ? '.') ' : '',
+ '__CHECK_READ__' => ' ',
'__USER_LOGIN__' => $user->login,
'__USER_EMAIL__' => $user->email,
'__USER_SIGNATURE__' => (($user->signature && empty($conf->global->MAIN_MAIL_DO_NOT_USE_SIGN)) ? $usersignature : ''), // Done into actions_sendmails
'__SENDEREMAIL_SIGNATURE__' => (($user->signature && empty($conf->global->MAIN_MAIL_DO_NOT_USE_SIGN)) ? $usersignature : ''), // Done into actions_sendmails
'__ID__' => 'RecipientIdRecord',
//'__EMAIL__' => 'RecipientEMail', // Done into actions_sendmails
+ '__LOGIN__' => $user->login,
'__LASTNAME__' => 'RecipientLastname',
'__FIRSTNAME__' => 'RecipientFirstname',
'__ADDRESS__'=> 'RecipientAddress',
diff --git a/htdocs/admin/mails_emailing.php b/htdocs/admin/mails_emailing.php
index b9cb57e0d80..1f638be3286 100644
--- a/htdocs/admin/mails_emailing.php
+++ b/htdocs/admin/mails_emailing.php
@@ -42,11 +42,13 @@ if ($action == 'test' || $action == 'send') {
$substitutionarrayfortest = array(
'__DOL_MAIN_URL_ROOT__'=>DOL_MAIN_URL_ROOT,
- '__ID__' => 'RecipientIdRecord',
- //'__EMAIL__' => 'RecipientEMail', // Done into actions_sendmails
- '__CHECK_READ__' => (!empty($object) && is_object($object) && is_object($object->thirdparty)) ? '' : '',
+ '__CHECK_READ__' => '',
+ '__USER_LOGIN__' => $user->login,
+ '__USER_EMAIL__' => $user->email,
'__USER_SIGNATURE__' => (($user->signature && empty($conf->global->MAIN_MAIL_DO_NOT_USE_SIGN)) ? $usersignature : ''), // Done into actions_sendmails
'__SENDEREMAIL_SIGNATURE__' => (($user->signature && empty($conf->global->MAIN_MAIL_DO_NOT_USE_SIGN)) ? $usersignature : ''), // Done into actions_sendmails
+ '__ID__' => 'RecipientIdRecord',
+ //'__EMAIL__' => 'RecipientEMail', // Done into actions_sendmails
'__LOGIN__' => $user->login,
'__LASTNAME__' => 'RecipientLastname',
'__FIRSTNAME__' => 'RecipientFirstname',
diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php
index 1fec22ea979..066fbedef51 100644
--- a/htdocs/comm/mailing/card.php
+++ b/htdocs/comm/mailing/card.php
@@ -248,9 +248,9 @@ if (empty($reshook)) {
$substitutionarray['__OTHER5__'] = $other5;
$substitutionarray['__USER_SIGNATURE__'] = $signature; // Signature is empty when ran from command line or taken from user in parameter)
$substitutionarray['__SENDEREMAIL_SIGNATURE__'] = $signature; // Signature is empty when ran from command line or taken from user in parameter)
- $substitutionarray['__CHECK_READ__'] = '.'&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->email).'&mtid='.$obj->rowid.') ';
- $substitutionarray['__UNSUBSCRIBE__'] = ''.$langs->trans("MailUnsubcribe").'';
- $substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->email).'&mtid='.$obj->rowid;
+ $substitutionarray['__CHECK_READ__'] = '.'&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY.'-'.$obj->tag.'-'.$obj->email.'-'.$obj->rowid, ) ';
+ $substitutionarray['__UNSUBSCRIBE__'] = ''.$langs->trans("MailUnsubcribe").'';
+ $substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY.'-'.$obj->tag.'-'.$obj->email.'-'.$obj->rowid, "md5").'&email='.urlencode($obj->email).'&mtid='.((int) $obj->rowid);
$onlinepaymentenabled = 0;
if (isModEnabled('paypal')) {
@@ -480,9 +480,9 @@ if (empty($reshook)) {
// other are set at begin of page
$substitutionarray['__EMAIL__'] = $object->sendto;
$substitutionarray['__MAILTOEMAIL__'] = ''.$object->sendto.'';
- $substitutionarray['__CHECK_READ__'] = '.'&email='.urlencode($obj->sendto).'&mtid=0) ';
- $substitutionarray['__UNSUBSCRIBE__'] = ''.$langs->trans("MailUnsubcribe").'';
- $substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag=undefinedintestmode&unsuscrib=1&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->sendto).'&mtid=0';
+ $substitutionarray['__CHECK_READ__'] = ' sendto."-0", 'md5').'&email='.urlencode($obj->sendto).'&mtid=0" width="1" height="1" style="width:1px;height:1px" border="0"/>';
+ $substitutionarray['__UNSUBSCRIBE__'] = 'sendto."-0", 'md5').'&email='.urlencode($obj->sendto).'&mtid=0" target="_blank" rel="noopener noreferrer">'.$langs->trans("MailUnsubcribe").'';
+ $substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag=undefinedintestmode&unsuscrib=1&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-undefinedintestmode-".$obj->sendto."-0", 'md5').'&email='.urlencode($obj->sendto).'&mtid=0';
// Subject and message substitutions
complete_substitutions_array($substitutionarray, $langs, $targetobject);
diff --git a/htdocs/core/actions_massactions.inc.php b/htdocs/core/actions_massactions.inc.php
index c526f9312a0..460b6407789 100644
--- a/htdocs/core/actions_massactions.inc.php
+++ b/htdocs/core/actions_massactions.inc.php
@@ -469,7 +469,7 @@ if (!$error && $massaction == 'confirm_presend') {
$substitutionarray['__ID__'] = ($oneemailperrecipient ? join(', ', array_keys($listofqualifiedobj)) : $objecttmp->id);
$substitutionarray['__REF__'] = ($oneemailperrecipient ? join(', ', $listofqualifiedref) : $objecttmp->ref);
$substitutionarray['__EMAIL__'] = $thirdparty->email;
- $substitutionarray['__CHECK_READ__'] = '.'&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).') ';
+ $substitutionarray['__CHECK_READ__'] = ' ';
$parameters = array('mode'=>'formemail');
diff --git a/htdocs/core/actions_sendmails.inc.php b/htdocs/core/actions_sendmails.inc.php
index 4f7580bb8ca..ab8a30455ff 100644
--- a/htdocs/core/actions_sendmails.inc.php
+++ b/htdocs/core/actions_sendmails.inc.php
@@ -346,7 +346,7 @@ if (($action == 'send' || $action == 'relance') && !GETPOST('addfile') && !GETPO
// Make substitution in email content
$substitutionarray = getCommonSubstitutionArray($langs, 0, null, $object);
$substitutionarray['__EMAIL__'] = $sendto;
- $substitutionarray['__CHECK_READ__'] = (is_object($object) && is_object($object->thirdparty)) ? '.'&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).') ' : '';
+ $substitutionarray['__CHECK_READ__'] = (is_object($object) && is_object($object->thirdparty)) ? '' : '';
$parameters = array('mode'=>'formemail');
complete_substitutions_array($substitutionarray, $langs, $object, $parameters);
diff --git a/htdocs/core/tpl/massactions_pre.tpl.php b/htdocs/core/tpl/massactions_pre.tpl.php
index ce36d2bb899..817ec534b4b 100644
--- a/htdocs/core/tpl/massactions_pre.tpl.php
+++ b/htdocs/core/tpl/massactions_pre.tpl.php
@@ -282,7 +282,7 @@ if ($massaction == 'presend') {
$substitutionarray = getCommonSubstitutionArray($langs, 0, null, $object);
$substitutionarray['__EMAIL__'] = $sendto;
- $substitutionarray['__CHECK_READ__'] = (is_object($object) && is_object($object->thirdparty)) ? '' : '';
+ $substitutionarray['__CHECK_READ__'] = '';
$substitutionarray['__PERSONALIZED__'] = ''; // deprecated
$substitutionarray['__CONTACTCIVNAME__'] = '';
diff --git a/htdocs/eventorganization/core/actions_massactions_mail.inc.php b/htdocs/eventorganization/core/actions_massactions_mail.inc.php
index 5398291e69f..2e03777c572 100644
--- a/htdocs/eventorganization/core/actions_massactions_mail.inc.php
+++ b/htdocs/eventorganization/core/actions_massactions_mail.inc.php
@@ -191,7 +191,6 @@ if (!$error && $massaction == 'confirm_presend_attendees') {
}
$substitutionarray['__EVENTORGANIZATION_ICS_LINK__'] = $html_link;
$substitutionarray['__EVENTORGANIZATION_URL_LINK__'] = $url_link;
- $substitutionarray['__CHECK_READ__'] = ' . '&securitykey=' . urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY) . ') ';
$parameters = array('mode' => 'formemail');
diff --git a/htdocs/public/emailing/mailing-read.php b/htdocs/public/emailing/mailing-read.php
index 5829c62dbd7..2382639ab6e 100644
--- a/htdocs/public/emailing/mailing-read.php
+++ b/htdocs/public/emailing/mailing-read.php
@@ -85,17 +85,17 @@ $securitykey = GETPOST('securitykey');
dol_syslog("public/emailing/mailing-read.php : tag=".$tag." securitykey=".$securitykey, LOG_DEBUG);
-if ($securitykey != $conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY) {
+if ($securitykey != dol_hash(getDolGlobalString('MAILING_EMAIL_UNSUBSCRIBE_KEY')."-".$tag."-".$email."-".$mtid, 'md5')) {
print 'Bad security key value.';
exit;
}
-if (!empty($tag)) {
+if (!empty($tag) && $tag != 'undefined') {
dol_syslog("public/emailing/mailing-read.php : Update status of email target and thirdparty for tag ".$tag, LOG_DEBUG);
$sql = "SELECT mc.rowid, mc.email, mc.statut, mc.source_type, mc.source_id, m.entity";
$sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc, ".MAIN_DB_PREFIX."mailing as m";
- $sql .= " WHERE mc.fk_mailing = m.rowid AND mc.tag='".$db->escape($tag)."'";
+ $sql .= " WHERE mc.fk_mailing = m.rowid AND mc.tag = '".$db->escape($tag)."'";
$resql = $db->query($sql);
if (!$resql) dol_print_error($db);
diff --git a/htdocs/public/emailing/mailing-unsubscribe.php b/htdocs/public/emailing/mailing-unsubscribe.php
index a5291d06b7f..f4ca2b10031 100644
--- a/htdocs/public/emailing/mailing-unsubscribe.php
+++ b/htdocs/public/emailing/mailing-unsubscribe.php
@@ -61,6 +61,8 @@ global $user, $conf, $langs;
$langs->loadLangs(array("main", "mails"));
+$mtid = GETPOST('mtid');
+$email = GETPOST('email');
$tag = GETPOST('tag'); // To retreive the emailing, and recipient
$unsuscrib = GETPOST('unsuscrib');
$securitykey = GETPOST('securitykey');
@@ -70,9 +72,9 @@ $securitykey = GETPOST('securitykey');
* Actions
*/
-dol_syslog("public/emailing/mailing-read.php : tag=".$tag." securitykey=".$securitykey, LOG_DEBUG);
+dol_syslog("public/emailing/mailing-unsubscribe.php : tag=".$tag." securitykey=".$securitykey, LOG_DEBUG);
-if ($securitykey != getDolGlobalString('MAILING_EMAIL_UNSUBSCRIBE_KEY')) {
+if ($securitykey != dol_hash(getDolGlobalString('MAILING_EMAIL_UNSUBSCRIBE_KEY')."-".$tag."-".$email."-".$mtid, 'md5')) {
print 'Bad security key value.';
exit;
}
diff --git a/scripts/emailings/mailing-send.php b/scripts/emailings/mailing-send.php
index 3e79be8472c..f2aeecec444 100755
--- a/scripts/emailings/mailing-send.php
+++ b/scripts/emailings/mailing-send.php
@@ -229,9 +229,9 @@ if ($resql) {
$substitutionarray['__OTHER5__'] = $other5;
$substitutionarray['__USER_SIGNATURE__'] = $signature; // Signature is empty when ran from command line or taken from user in parameter)
$substitutionarray['__SIGNATURE__'] = $signature; // For backward compatibility
- $substitutionarray['__CHECK_READ__'] = '';
- $substitutionarray['__UNSUBSCRIBE__'] = ''.$langs->trans("MailUnsubcribe").'';
- $substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.urlencode($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY).'&email='.urlencode($obj->email).'&mtid='.$obj->rowid;
+ $substitutionarray['__CHECK_READ__'] = '.'&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY.) tag."-".$obj->email."-".$obj->rowid, "md5").'&email='.urlencode($obj->email).'&mtid='.((int) $obj->rowid).'" width="1" height="1" style="width:1px;height:1px" border="0"/>';
+ $substitutionarray['__UNSUBSCRIBE__'] = 'tag."-".$obj->email."-".$obj->rowid, "md5").'&email='.urlencode($obj->email).'&mtid='.((int) $obj->rowid).'" target="_blank">'.$langs->trans("MailUnsubcribe").'';
+ $substitutionarray['__UNSUBSCRIBE_URL__'] = DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.urlencode($obj->tag).'&unsuscrib=1&securitykey='.dol_hash($conf->global->MAILING_EMAIL_UNSUBSCRIBE_KEY."-".$obj->tag."-".$obj->email."-".$obj->rowid, "md5").'&email='.urlencode($obj->email).'&mtid='.((int) $obj->rowid);
$onlinepaymentenabled = 0;
if (!empty($conf->paypal->enabled)) {
|