[CRM-3638] CiviCRM does not handle tokens embedded in URLs without Track Clickthroughs enabled - CiviCRM Issue Tracker

Details

Type: Bug
Status: Done/Fixed
Priority: Major
Resolution: Fixed/Completed
Affects Version/s: 2.1
Fix Version/s: 2.1
Component/s: None
Labels:
None

Description

We are using SVN r17296 of branches/v2.1.

1. CiviCRM does not identify tokens embedded in URLs unless "Track Clickthroughs" is enabled, so "Track Clickthroughs" is required for use of checksums.

2. Enabling "Track Clickthroughs" on a checksum URL is a security issue, in that it's easy to find other contact's checksum URLs by altering the qid value in the received URL.

While tokens embedded in URLs are not replaced in CiviMails unless "Track Clickthroughs" is enabled, they are correctly handled when the same template is used to send an email directly to a contact via "Send an email" from the contact page.

CiviMail is consistent in this behaviour both when sending test emails and when sending the mail live.

We've observed similar behaviour in 2.0.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

Checksum Test - NO URL TRACKING.eml
2008-09-29 22:29
3 kB
Chris Burgess
Checksum Test - SEND AN EMAIL.eml
2008-09-29 22:29
1 kB
Chris Burgess
Checksum Test - TRACK CLICKTHROUGHS.eml
2008-09-29 22:28
3 kB
Chris Burgess
html email.html
2008-09-29 22:28
0.2 kB
Chris Burgess
plain text email.txt
2008-09-29 22:28
0.1 kB
Chris Burgess

Activity

People

Assignee:

Neha Kulkarni

Reporter:

Chris Burgess

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2008-09-29 22:28

Updated:

2008-12-23 7:35

Resolved:

2008-09-30 11:39