Page MenuHomePhabricator

Unknown error in PHP's mail() function when trying to send confirmation mail
Open, NormalPublic

Description

When I try to confirm the e-mail address for my account [[de:Benutzer:X" onclick="alert('XSS');" title="y]] I always get:

Wikipedia could not send your confirmation mail. Please check your e-mail address for invalid characters.

Mailer returned: Unknown error in PHP's mail() function

I tried it with different mail addresses (including the one I'm using here and the one for my main account, which I could confirm without problem), so it's probably not the mail address but the user name that makes problems.


Version: 1.19
Severity: normal

Details

Reference
bz30260

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 21 2014, 11:55 PM
bzimport added a project: MediaWiki-Email.
bzimport set Reference to bz30260.
bzimport added a subscriber: Unknown Object (MLST).
Schnark created this task.Aug 6 2011, 8:19 AM
brion added a comment.Aug 6 2011, 11:06 AM

Incidentally, love the username. ;) http://xkcd.com/327/

It should be getting quoted-printabled ... Running the username with a sample address through MailAddress's formatting gives:

?UTF-8?Q?X"=20onclick=3D"alert('XSS');"=20title=3D"y?= <foo@bar>

I suspect it's the semicolon that gives the problem; if there's a '.' or ',' we wrap the whole bit in additional quotes, but not for semicolon. I'll do some tests.

brion added a comment.Aug 6 2011, 11:18 AM

This actually sends through fine on my dev machine's default mailer. Someone'll probably want to check error logs, I'm not sure what's in use in production atm.

If you want to look into the error logs, I tried it when I created the account 4. Aug 2011 11:34 UTC (in als.wikipedia), just before my first report (in de.wikipedia) and again just now.

Note that I did some work on UserMailer.php — I'm not sure it would
have changed the behavior between trunk and 1.17, but it could have.
Did you test trunk, Brion?

(In reply to comment #4)

Note that I did some work on UserMailer.php — I'm not sure it would
have changed the behavior between trunk and 1.17, but it could have.

No, that didn't fix the bug, I can still reproduce now with 1.19.

wikimail wrote:

Hi, I have received on OTRS a mail from an user complaining for this same error. He wants to reset his password and he gets allways this error (in French):

Erreur lors de l'envoi du courriel : Erreur inconnue dans la fonction mail() de PHP.

(Error sending the mail: Unknown error in PHP's mail() function.)

Ticket OTRS 2012090910012075

User mail address: christophe.moustier@free.fr

Someone can check this issue?

Thanks!

(In reply to comment #5)

No, that didn't fix the bug, I can still reproduce now with 1.19.

http://www.mwusers.com/forums/showthread.php?18000-Error-sending-confirmation-Email states there was a fix in 1.18.1.
However the error message is so generic that I can imagine many reasons why this fails (and that the two affected users who commented here might have different problems with the same outcome).

For the records, a similar report without a solution is https://jira.toolserver.org/browse/TS-1243

This happened again on de.wikipedia, for a user with a @ in his name. After he was renamed (necessary for SUL anyway) he was able to verify his email address. As according to http://tools.ietf.org/html/rfc2045#page-19 it is perfectly fine to encode characters even when not needed, MediaWiki should just escape everything in the user name that could cause troubles, and only leave ASCII letters and numbers alone.

In my case, this is due to sendmail_path already being set with -f in php.ini.
So the rough solution was to comment out in includes/mail/UserMailer.php:

public static function send( $to, $from, $subject, $body, $replyto = null,
                $contentType = 'text/plain; charset=UTF-8'
        ) {
# ...
# $extraParams .= ' -f ' . $returnPath;

This should definitely be removed, as $extraParams is built from $wgAdditionalMailParams which can be set by the user.

Foudfou set Security to None.Mar 5 2015, 10:34 PM
Foudfou added subscribers: 01tonythomas, Legoktm.

This (138655) is the change that broke things.

Besides, I wonder why Return-Path is used as rfc822 4.3.1 states:

This field [Return-Path] is added by the final transport system that delivers the message to its recipient.

Maybe https://gerrit.wikimedia.org/r/138655 should be re-considered, if not reverted.

This (138655) is the change that broke things.
Besides, I wonder why Return-Path is used as rfc822 4.3.1 states:

This field [Return-Path] is added by the final transport system that delivers the message to its recipient.

We were forcefully setting up this 5th param for the Wikimedia cluster to enable use of BounceHandler extension. If you are not using the extension, please comment it out. We wanted to have the 'Return-Path' altered in between, and not by the final transport - hence the change in between.

Hi there, is this still a problem?
I'm getting this error when trying to register (or password-recover) an account "Jane Jönsson" (note umlaut). No problem without umlaut, or indeed any other user I've successfully created with the same pattern (Name Surname), but without "funny" characters.
I'm using

Product Version
MediaWiki 1.26.2
PHP 5.4.43 (cgi-fcgi)
MySQL 5.5.42-37.1-log
ICU 4.2.1

Thanks

Krinkle removed a subscriber: Krinkle.Jun 28 2016, 10:26 PM