View Issue Details

IDProjectCategoryView StatusLast Update
0007275OXID eShop (all versions)1.05. Userspublic2021-11-02 16:27
Reporterjaroslav.herber Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version6.3.1 
Fixed in Version6.4.0 
Summary0007275: Some email-addresses aren't compatible with OXID
DescriptionIf you register a shop-account with an email-address containing a dot and a following hyphen (".-"), the shop won't send any mails to this email-address.
For example: [email protected]

The problem is the use of the PHP-function idn_to_ascii() + PHP 7.4
idn_to_ascii returns false in this case -> so the shop will send the mail to an empty recipient-email-address.

This bug could be PHP-related since the default behaviour of idn_to_ascii was changed in PHP 7.4.
Steps To ReproduceRegister with a valid mail-address containing ".-" (dot and following hyphen)
-> Like "[email protected]"

Then place an order or use password forgot funciton.
You won't receive any mail from the shop.
Additional Information/vendor/oxid-esales/oxideshop-ce/source/Core/Email.php:

private function idnToAscii($idn)
    {
        if (function_exists('idn_to_ascii')) {
            return idn_to_ascii($idn); // <-- this it the problem
        }

        return $idn;
    }
Tagsmail
ThemeAll
BrowserAll
PHP Version7.4
Database VersionAll

Activities

jaroslav.herber

2021-09-14 10:47

reporter   ~0013476

According to definition of idn_to_ascii(), this function should be used with domains - not with email-addresses.
https://www.php.net/manual/de/function.idn-to-ascii.php

michael_keiluweit

2021-09-14 11:02

administrator   ~0013477

Hey @jaroslav.herber,

you set this entry as a security issue. For me it sounds like a "normal" bug in the framework and therefore I have a hard time understanding it as a security problem. So I'd like to ask you to elaborate on that, please.

Kind regards
Michael

jaroslav.herber

2021-09-14 11:30

reporter   ~0013478

Hi @michael_keiluweit,

you're right. This should be an other category. But I don't see an edit button... Can you change it?

Best regards,
Jaro

michael_keiluweit

2021-09-15 08:16

administrator   ~0013481

Last edited: 2021-09-15 08:16

Hey @jaroslav.herber,

done :)

Greetings
Michael