Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#31768] - [4.0] Mailer subject and email address name part are validated as email address

No Code Attached Yet bug
avatar Denitz
Denitz
23 Dec 2020

Steps to reproduce the issue

Emails with certain valid subjects are not sent, an exception Prohibited input ... is thrown.

Email subject should contain @ char and some extra non-domain accepted chars next, see the subject example below.

Execute the following code:

$app    = \JFactory::getApplication();
$mailer = \JFactory::getMailer();

$to      = 'test@test.com';
$subject = 'Test email for test@test.com {test}';
$body    = 'Test';

// PHP mail works.
mail($to, $subject, $body);

// Joomla way fails.
try
{
	$mailer->sendMail($app->get('mailfrom'), $app->get('fromname'), $to, $subject, $body, 1);
}
catch (\Exception $e)
{
	echo $e->getMessage();
	die;
}

Expected result

Two emails should be sent.

Actual result

Only the first email is sent via mail(), the second email throws an exception Prohibited input U+00000020.
We can see that the subject string is valid.

System information (as much as possible)

4.0 nightly

Additional comments

Joomla\CMS\Mail\Mail::setSubject() calls MailHelper::cleanLine()

MailHelper::cleanLine() for unknown reason calls PunycodeHelper::emailToPunycode() which is only intended to convert the email address to Punycode if required.

Joomla 3 uses the \idna_convert class which actually doesn't create issues with such subjects.
Joomla 4 started to use Algo26\IdnaConvert\ToIdn for Punycode conversion which throws an exception on invalid domain pattern the subject is validated as.

The main issue is that MailHelper::cleanLine() is used for non-email address checks, i.e. for a subject or for a sender name.
We have MailHelper::cleanSubject() and MailHelper::cleanAddress() but they are not used at all. Note that cleanAddress() actually doesn't perform Punycode conversion.

Logically, even the current Mail code in Joomla 3 is invalid, even though it allows sending emails with such subjects.

All MailHelper::cleanXXX() methods should be re-checked and used in the proper manner.

avatar Denitz Denitz - open - 23 Dec 2020
avatar joomla-cms-bot joomla-cms-bot - change - 23 Dec 2020
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 23 Dec 2020
avatar counterpoint
counterpoint - comment - 4 Jan 2023

This issue is cropping up in a variety of situations, not just to do with email addresses, nor always to do with the same character. It is now over 2 years since it was reported, and it is occurring in Joomla 4.2.6. If it isn't possible to stop it happening, can documentation please be provided as to what tests are being done to what data? Otherwise developers have great difficulty knowing what they are dealing with.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/31768.

avatar Hackwar Hackwar - change - 20 Feb 2023
Labels Added: No Code Attached Yet bug
Removed: ?
avatar Hackwar Hackwar - labeled - 20 Feb 2023
avatar website21cz
website21cz - comment - 25 Jun 2023

I have this problem too especially when web site title contains diacritics and username is in shape email@site.tld.

avatar richard67 richard67 - change - 11 Jul 2023
Status New Closed
Closed_Date 0000-00-00 00:00:00 2023-07-11 12:12:28
Closed_By richard67
avatar richard67 richard67 - close - 11 Jul 2023
avatar richard67
richard67 - comment - 11 Jul 2023

Closing as having a pull request. Please test #41138 . Thanks in advance.

avatar PetrChudoba73
PetrChudoba73 - comment - 4 Aug 2023

I did the test with 4.3.3 version where I add in all registration fields the same value test2@testcz.cz and get 500 error.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/31768.

Add a Comment

Login with GitHub to post a comment