Last modified: 2013-10-23 07:16:01 UTC
When I try to confirm the e-mail address for my account [[de:Benutzer:X" onclick="alert('XSS');" title="y]] I always get: Wikipedia could not send your confirmation mail. Please check your e-mail address for invalid characters. Mailer returned: Unknown error in PHP's mail() function I tried it with different mail addresses (including the one I'm using here and the one for my main account, which I could confirm without problem), so it's probably not the mail address but the user name that makes problems.
Incidentally, love the username. ;) http://xkcd.com/327/ It should be getting quoted-printabled ... Running the username with a sample address through MailAddress's formatting gives: =?UTF-8?Q?X"=20onclick=3D"alert('XSS');"=20title=3D"y?= <foo@bar> I suspect it's the semicolon that gives the problem; if there's a '.' or ',' we wrap the whole bit in additional quotes, but not for semicolon. I'll do some tests.
This actually sends through fine on my dev machine's default mailer. Someone'll probably want to check error logs, I'm not sure what's in use in production atm.
If you want to look into the error logs, I tried it when I created the account 4. Aug 2011 11:34 UTC (in als.wikipedia), just before my first report (in de.wikipedia) and again just now.
Note that I did some work on UserMailer.php — I'm not sure it would have changed the behavior between trunk and 1.17, but it could have. Did you test trunk, Brion?
(In reply to comment #4) > Note that I did some work on UserMailer.php — I'm not sure it would > have changed the behavior between trunk and 1.17, but it could have. No, that didn't fix the bug, I can still reproduce now with 1.19.
Hi, I have received on OTRS a mail from an user complaining for this same error. He wants to reset his password and he gets allways this error (in French): Erreur lors de l'envoi du courriel : Erreur inconnue dans la fonction mail() de PHP. (Error sending the mail: Unknown error in PHP's mail() function.) Ticket OTRS 2012090910012075 User mail address: christophe.moustier@free.fr Someone can check this issue? Thanks!
(In reply to comment #5) > No, that didn't fix the bug, I can still reproduce now with 1.19. http://www.mwusers.com/forums/showthread.php?18000-Error-sending-confirmation-Email states there was a fix in 1.18.1. However the error message is so generic that I can imagine many reasons why this fails (and that the two affected users who commented here might have different problems with the same outcome). For the records, a similar report without a solution is https://jira.toolserver.org/browse/TS-1243
This happened again on de.wikipedia, for a user with a @ in his name. After he was renamed (necessary for SUL anyway) he was able to verify his email address. As according to http://tools.ietf.org/html/rfc2045#page-19 it is perfectly fine to encode characters even when not needed, MediaWiki should just escape everything in the user name that could cause troubles, and only leave ASCII letters and numbers alone.
