Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-3638

CiviCRM does not handle tokens embedded in URLs without Track Clickthroughs enabled


    • Type: Bug
    • Status: Done/Fixed
    • Priority: Major
    • Resolution: Fixed/Completed
    • Affects Version/s: 2.1
    • Fix Version/s: 2.1
    • Component/s: None
    • Labels:


      We are using SVN r17296 of branches/v2.1.

      1. CiviCRM does not identify tokens embedded in URLs unless "Track Clickthroughs" is enabled, so "Track Clickthroughs" is required for use of checksums.

      2. Enabling "Track Clickthroughs" on a checksum URL is a security issue, in that it's easy to find other contact's checksum URLs by altering the qid value in the received URL.

      While tokens embedded in URLs are not replaced in CiviMails unless "Track Clickthroughs" is enabled, they are correctly handled when the same template is used to send an email directly to a contact via "Send an email" from the contact page.

      CiviMail is consistent in this behaviour both when sending test emails and when sending the mail live.

      We've observed similar behaviour in 2.0.


        1. Checksum Test - NO URL TRACKING.eml
          3 kB
          Chris Burgess
        2. Checksum Test - SEND AN EMAIL.eml
          1 kB
          Chris Burgess
        3. Checksum Test - TRACK CLICKTHROUGHS.eml
          3 kB
          Chris Burgess
        4. html email.html
          0.2 kB
          Chris Burgess
        5. plain text email.txt
          0.1 kB
          Chris Burgess



            • Assignee:
              neha.saraph Neha Kulkarni
              xurizaemon Chris Burgess
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: