[craft2] Email confirmation is sometimes invalid

[nstCactus]

Description

I know it's no longer supported but just in case it helps someone…

Some actions (resetting a password, changing email address or activating an account) require a user confirmation. To do so, Craft 2:

• generates a code
• stores it encrypted in the database record corresponding to the user
• emails the user a confirmation link containing the clear-text generated code
• when the user clicks the links, validates that it is the same code that was stored in the database (using Blowfish)

The generated code is supposed to contain only [0-9a-zA-z_~] characters which are all transparent in raw URL encoding (says the PHPdoc of Yii's CSecurityManager::generateRandomString()). The problem is that, while the code may contain ~, the confirmation URL is encoded using the http_build_query() PHP function, which encodes ~ characters as %7E.

Long story short: if the code generated contains a ~ (that is if the confirmation URL contains %7E), it won't work.

Quick'n'dirty workaround

In the control panel, go to Settings > Email > Messages and replace {{link}} with {{ link|replace({ '%7E': '~', '%7e': '~' }) }}

Steps to reproduce

1. Try to reset a user password repeatedly until you hit the issue

Additional info

• Craft version: 2.9.2
• PHP version: 7.1.33
• Database driver & version: n/a
• Plugins & versions: n/a

P.S. I may be wrong because I don't understand how such an issue could go unnoticed for so long!

[angrybrad]

I may be wrong because I don't understand how such an issue could go unnoticed for so long!

Interesting - guessing it's because there's a 1/62 chance of getting the ~ (so relatively low odds) and when it comes to email, people are used to things breaking. :)

Thanks for sharing, though. I've verified that Yii has removed ~ from the list of possible characters in Yii 2/Craft 3, so won't be an issue there.