Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix email html encoding #12611

Closed
wants to merge 4 commits into from
Closed

Fix email html encoding #12611

wants to merge 4 commits into from

Conversation

ghost
Copy link

@ghost ghost commented Mar 9, 2018
edited by Findus23

Fixing: E-Mail addresses with special characters are not working. Changed the mail address to match the original input for the validator, add user and update user.

Made in correspondence to and fixes #11796

@mattab
Copy link
Member

mattab commented Mar 19, 2018

Thanks for the PR @Kallaen 👍

(when reviewing the PR, since it will now allow for some XSS prone characters, we should specifically look for XSS injections in the email address)

@mattab mattab modified the milestones: 3.3.1, 3.4.0 Mar 19, 2018
@ghost
Copy link
Author

ghost commented Mar 19, 2018

Thanks for the reply. Yea, I saw the test failing. I'll look into it again.

@mattab mattab modified the milestones: 3.5.0, 3.4.1 Mar 20, 2018
@diosmosis diosmosis added the Needs Review PRs that need a code review label Mar 25, 2018
@diosmosis
Copy link
Member

To better check for XSS here, can you change the UITestFixture.php class so the users used in UI tests have XSS email addresses?

You'd have to change this line: https://github.com/matomo-org/matomo/blob/3.x-dev/tests/PHPUnit/Fixtures/UITestFixture.php#L71

to be something like:

UsersManagerAPI::getInstance()->addUser('oliverqueen', 'smartypants', self::makeXssContent('useremail') . '@queenindustries.com');

It would also be good to change the super user's email address to an XSS one, since I think that user is used throughout the UI tests. To do that, you'd have to add a UsersManagerAPI::getInstance()->updateUser(...) call to this method: https://github.com/matomo-org/matomo/blob/3.x-dev/tests/PHPUnit/Fixtures/UITestFixture.php#L43

eg:

UsersManagerAPI::getInstance()->updateUser('superUserLogin', $password = false, self::makeXssContent('superuseremail') . '@example.com');

diosmosis
diosmosis requested changes Mar 25, 2018
View reviewed changes
Copy link
Member

@diosmosis diosmosis left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requires some changes. One of the test failures I think can be fixed by merging or rebasing w/ 3.x-dev.

core/Piwik.php
@@ -572,7 +572,8 @@ public static function isValidEmailString($emailAddress)
{
/** @var \Zend_Validate_EmailAddress $zendEmailValidator */
$zendEmailValidator = StaticContainer::get('Zend_Validate_EmailAddress');
return $zendEmailValidator->isValid($emailAddress);

return $zendEmailValidator->isValid(mb_convert_encoding($emailAddress, "UTF-8", "HTML-ENTITIES"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a core Piwik function for unsanitizing values: \Piwik\Common:: unsanitizeInputValue(...). (see https://github.com/matomo-org/matomo/blob/3.x-dev/core/Common.php#L363 ).

Can you use that instead of mb_convert_encoding()? Depending on a function we control means we can change how it works ourselves & in one place, instead of having to look for every use of, eg, mb_convert_encoding().

plugins/UsersManager/API.php
}
} else {
$email = mb_convert_encoding($email, "UTF-8", "HTML-ENTITIES");
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed in a couple lines the tabbing is off by one char. Can you fix this?

@mattab
Copy link
Member

mattab commented Apr 23, 2018

Hi @Kallaen
Do you think you'll be able to make the changes as suggested?
Thanks again for the PR!

@mattab mattab modified the milestones: 3.5.0, 3.6.0 Apr 23, 2018
@ghost
Copy link
Author

ghost commented Apr 27, 2018

@mattab Sorry, I can't find the time to do it at the moment.

@sgiehl
Copy link
Member

sgiehl commented Jun 18, 2018

@Kallaen Still busy? Or do you maybe have some time the coming days?

@Findus23
Copy link
Member

Findus23 commented Jul 1, 2018

@sgiehl As the github user got deleted I guess this pull request won't be changed anymore.

@sgiehl
Copy link
Member

sgiehl commented Jul 1, 2018

Closing then. Maybe some is keen on recreating this PR with the suggested changes...

@sgiehl sgiehl closed this Jul 1, 2018
@Findus23 Findus23 mentioned this pull request Jul 1, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Needs Review PRs that need a code review
Projects
None yet
Milestone
Backlog (Help wanted)
Development

Successfully merging this pull request may close these issues.

E-Mail addresses with special characters are not working
5 participants
@mattab @diosmosis @sgiehl @Findus23 @Kallaen