One of the neat features of gmail (and some other email systems) is that you can use + as a valid character in your email, giving you an extensible address.
So sample+one@gmail and sample+two@gmail both are delivered to sample@gmail.com. Good as anti-spam and source tracking, for example.

As a result of this cool feature, many people validly use a plus sign in their emails. Drupal accepts this, unlike MANY email validators out there.

This module fails to work with such an address. it will send the mails out to the old and new email addresses, both with plus signs, but the url, when clicked on, causes a 'There was a problem verifying your change of e-mail request' and fails to make the change. It's possible to create an account, using a 'plused' address, change your email to something else via this module, and then be unable to change it back to the original email used.

The problem is likely that the plus is webencoded in the url... so it'll be need to be reversed before the hashing check.

Comments

sethcohn’s picture

sethcohn commented
Status: Active » Needs review

Ok, we needed this to work with plus signs, so here's the fix (after some research):

#21719: Do not use URL syntax for database settings and #191116: Make drupal_urlencode RFC 1738-compliant are two examples of the problems related to using + signs. It turns out that urlen/decode (and the drupal version) convert the + into %2b, but fail to convert it back to +, and instead turn it into a space on decode. (rawen/decode doesn't have this issue...btw) According to http://www.ietf.org/rfc/rfc2822.txt, space is never a valid email char, so if we find a space when it comes back via the clicked url, we can be sure it used to be a plus sign.

So the following patch works in function email_confirm_user_change_mail:

add near the top of the function:

$new_mail = str_replace(" ","+",$new_mail);

That will fix sample one@gmail.com (from above, which is the value $new_mail will hold otherwise) to sample+one@gmail.com (which is what $edit['mail'] held in the first place...) so that the hashes match and the url confirmation succeeds.

(Interestingly, the url filter catches the one@ but fails on the sample+one above... someone needs to fix that as well to behave correctly with plussed emails)

toemaz’s picture

toemaz commented

I confirm that the fix worked for me, on drupal 5.8. Nice catch!

jaydub’s picture

jaydub commented
Status: Needs review » Fixed

I never knew that about GMail...well you learn something new
everyday I guess.

I've added this to CVS. It works in my tests but let's see if anybody
reports anything before making a new release.

toemaz’s picture

toemaz commented
Version: 5.x-1.1 » 5.x-1.x-dev

Great. I'll use the dev snapshot once it is being made.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.