Several Questions about development and the Mail package
Daniel Mendes
I looked at the JMail and JMailHelper classes code in the Mail.php file
that extends the PHPMailer library, and i found a couple of things i am
not clear:
1) There seems to be an incomplete method: " void isEmailAddress
(mixed $email)", this function is not void it is Boolean, it needs the
phpDocumentor code. I PM Louis Landry but got no reply, and also PM
Johan and got no reply, so if someone could add this to svn i would
appreciate it, i could not access it with my forge user and password:
/**
* This method verifies that the string is in a proper e-mail address
format.
*
* @static
* @param string $email
* @return boolean
* @since 1.5
*/
2) I really don't understand the purpose of the clean* functions in the
JMailHelper class:
mixed cleanAddress (string $address)
string cleanBody (string &$body)
string cleanSubject (string $subject)
If someone could explain what are their purpose, goals or use case i
would appreciate it, it would allow me to write better documentation,
and some example code.
3) The useSMTP function and other have all parameter optional, because
if they are not given they will get their parameters from
$mainframe->getCfg('smtpauth') I was wondering where that information
is stored (what file) and what happens if it is not defined in that
file ?
the mainframe is a global variable that refers to
looking at the :
if (!empty ($this->SMTPAuth) && !empty ($this->Host) && !empty
($this->Username) && !empty ($this->Password))
It returns a false on failure, so in my code example i should write
something like:
if( useSMTP() ) echo "The SMTP parameters are not setup in the XXXX
file";
This is useful but i would rather have the function return an error
code if a certain parameter was not defined so i could debug with a
switch each code... but perhaps this is overkill...
Well that's all for now, thanks for the time and Help.
-Dan
PS: Hope this gets posted, I tried to post this yesterday, but looks
like google lost my message, got to love these google guys :x I have a
long experience with yahoo, and they never lost one email or one
message to yahoo-groups... oh well....
Ian MacLennan
see below for comments:
Daniel Mendes wrote:
> Hi,
> I looked at the JMail and JMailHelper classes code in the Mail.php file
> that extends the PHPMailer library, and i found a couple of things i am
> not clear:
>
> 1) There seems to be an incomplete method: " void isEmailAddress
> (mixed $email)", this function is not void it is Boolean, it needs the
> phpDocumentor code. I PM Louis Landry but got no reply, and also PM
> Johan and got no reply, so if someone could add this to svn i would
> appreciate it, i could not access it with my forge user and password:
>
>
Shayne has access to the SVN and is charged with the task of updated the
phpDoc blocks when needed as a member of the documentation team, so any
changes needed should be added to the tracker and he will get to fixing
them.
> /**
> * This method verifies that the string is in a proper e-mail address
> format.
> *
> * @static
> * @param string $email
> * @return boolean
> * @since 1.5
> */
>
> 2) I really don't understand the purpose of the clean* functions in the
> JMailHelper class:
>
> mixed cleanAddress (string $address)
> string cleanBody (string &$body)
> string cleanSubject (string $subject)
>
>
I assume you have looked at the mail.php file? There are descriptions
for these files:
cleanAddress: * This method verifies that an e-mail address does not
have any extra headers
* injected into it. Tests one e-mail address.
*
* @static
* @param string $address E-Mail address
* @return mixed E-Mail address string or boolean false if injected
headers are present
/**
* This method cleans any injected headers from the subject string.
*
* @static
* @param string $subject E-Mail subject string
* @return string Cleaned E-Mail subject string
* @since 1.5
*/
function cleanSubject($subject) {
return preg_replace("/((From:|To:|Cc:|Bcc:|Content-type:)
([\S]+))/", "", $subject);
}
/**
* This method cleans any injected headers from the E-Mail body
*
* @static
* @param string $body E-Mail body string
* @return string Cleaned E-Mail body string
* @since 1.5
*/
function cleanBody($body)
{
// Strip all E-Mail headers from a string
return
preg_replace("/((From:|To:|Cc:|Bcc:|Subject:|Content-type:) ([\S]+))/",
"", $body);
}
For information on email header injection, see
http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/ .
> If someone could explain what are their purpose, goals or use case i
> would appreciate it, it would allow me to write better documentation,
> and some example code.
>
> 3) The useSMTP function and other have all parameter optional, because
> if they are not given they will get their parameters from
> $mainframe->getCfg('smtpauth') I was wondering where that information
> is stored (what file) and what happens if it is not defined in that
> file ?
> the mainframe is a global variable that refers to
>
>
The $mainframe is an object of type JSite. The configuration variables
are found in configuration.php. If you look in the
includes/application.php file you can see the config class being
instantiated. The JSite class is defined in includes/application.php.
The JSite class is an extension of the JApplication class with a few
members overridden that are specific to the website context. For most
purposes, when you go to use $mainframe, you don't need to look at the
JSite class, but rather the JApplication class (which is in
libraries/joomla/application/application.php). JApplication is one of
the central classes in the Joomla Framework and provides an access point
to many of the other objects.
> looking at the :
>
> if (!empty ($this->SMTPAuth) && !empty ($this->Host) && !empty
> ($this->Username) && !empty ($this->Password))
>
> It returns a false on failure, so in my code example i should write
> something like:
>
> if( useSMTP() ) echo "The SMTP parameters are not setup in the XXXX
> file";
>
> This is useful but i would rather have the function return an error
> code if a certain parameter was not defined so i could debug with a
> switch each code... but perhaps this is overkill...
>
>
You don't need all the parameters to be set in order to use SMTP. SMTP
as a protocol only really requires the host parameter. A username,
password or authentication type (I assume that is what SMTPAuth is -
you'd have to check the PHPMailer library (look in
libraries/phpmailer). Therefore, needless warnings would be produced if
say the 'user' parameter was unset.
Hope this helps. If any of this is incorrect, one of the devs should
feel free to step in and clarify things. Thanks for your work Daniel.
I haven't had a chance to look at any of your stuff yet, but the fact
that you are asking questions like this indicates to me that you are on
the right track! Great job!
Ian
Daniel Mendes
Ian MacLennan wrote:
> For information on email header injection, see
> http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/ .
I did look at the code, but was not aware that this was such a big
problem, thanks for the link, now i have a better understanding of the
subject and can write something that makes sense to 3pd... I will try
to find more information on the topic, and also se what else can be
done to protect from spammers.
> > 3) The useSMTP function and other have all parameter optional, because
> > if they are not given they will get their parameters from
> > $mainframe->getCfg('smtpauth') I was wondering where that information
> > is stored (what file) and what happens if it is not defined in that
> > file ?
> > the mainframe is a global variable that refers to
> >
> >
> The $mainframe is an object of type JSite. The configuration variables
> are found in configuration.php. If you look in the
> includes/application.php file you can see the config class being
> instantiated. The JSite class is defined in includes/application.php.
> The JSite class is an extension of the JApplication class with a few
> members overridden that are specific to the website context. For most
> purposes, when you go to use $mainframe, you don't need to look at the
> JSite class, but rather the JApplication class (which is in
> libraries/joomla/application/application.php). JApplication is one of
> the central classes in the Joomla Framework and provides an access point
> to many of the other objects.
Thanks for the lights :)
> > looking at the :
> >
> > if (!empty ($this->SMTPAuth) && !empty ($this->Host) && !empty
> > ($this->Username) && !empty ($this->Password))
> >
> > It returns a false on failure, so in my code example i should write
> > something like:
> >
> > if( useSMTP() ) echo "The SMTP parameters are not setup in the XXXX
> > file";
> >
> > This is useful but i would rather have the function return an error
> > code if a certain parameter was not defined so i could debug with a
> > switch each code... but perhaps this is overkill...
(...)
> You don't need all the parameters to be set in order to use SMTP. SMTP
> as a protocol only really requires the host parameter. A username,
> password or authentication type (I assume that is what SMTPAuth is -
> you'd have to check the PHPMailer library (look in
> libraries/phpmailer). Therefore, needless warnings would be produced if
> say the 'user' parameter was unset.
Hum, my smtp server requires authentication, looking up i guess others
don't? So i should have at least two examples, one with authentication
and another with no authentication. Guess i will have to test this...
also need to mention that even with authentication spoofing is still
possible, anyone knows some php functions/libraries to prevent
spoofing?
But looking at the if, why does the code require that all parameters
are set? Also, couldn't the logic of that if be simplified? I will have
to dig a bit in the phpmailer.
Anyway i will probably just add a note to the documentation, that if
you have an authenticated SMTP server you need to input the parameters
or set them in the configuration file.
> Hope this helps. If any of this is incorrect, one of the devs should
> feel free to step in and clarify things. Thanks for your work Daniel.
> I haven't had a chance to look at any of your stuff yet, but the fact
> that you are asking questions like this indicates to me that you are on
> the right track! Great job!
>
> Ian
Thanks for the help Ian, I am just getting my php legs again I have not
coded php in a long time, being a java guy and all...
-Dan
Chris Davenport
In message <4458A8EE...@ianmaclennan.org>, Ian MacLennan
<joo...@ianmaclennan.org> writes
>
>One of the devs could probably provide more complete information, but
>see below for comments:
>
>Daniel Mendes wrote:
>> Hi,
>> I looked at the JMail and JMailHelper classes code in the Mail.php file
>> that extends the PHPMailer library, and i found a couple of things i am
>> not clear:
>>
>> 1) There seems to be an incomplete method: " void isEmailAddress
>> (mixed $email)", this function is not void it is Boolean, it needs the
>> phpDocumentor code. I PM Louis Landry but got no reply, and also PM
>> Johan and got no reply, so if someone could add this to svn i would
>> appreciate it, i could not access it with my forge user and password:
>>
>>
>Shayne has access to the SVN and is charged with the task of updated the
>phpDoc blocks when needed as a member of the documentation team, so any
>changes needed should be added to the tracker and he will get to fixing
>them.
Just to clarify: Any errors, etc with the phpDoc blocks can be noted on
the tracker here:
http://forge.joomla.org/sf/tracker/do/listArtifacts/projects.joomla_offic
ial_documentation_pr/tracker.developer_manual
Set the "Category" field to "Core Docblocks" and Shayne should pick it
up at some point.
Regards,
Chris.
--
Chris Davenport
ch...@dcsnet.demon.co.uk
Daniel Mendes
Ian MacLennan
> I did look at the code, but was not aware that this was such a big
> problem, thanks for the link, now i have a better understanding of the
> subject and can write something that makes sense to 3pd... I will try
> to find more information on the topic, and also se what else can be
> done to protect from spammers.
>
>
>
> Hum, my smtp server requires authentication, looking up i guess others
> don't? So i should have at least two examples, one with authentication
> and another with no authentication. Guess i will have to test this...
> also need to mention that even with authentication spoofing is still
> possible, anyone knows some php functions/libraries to prevent
> spoofing?
>
> But looking at the if, why does the code require that all parameters
> are set? Also, couldn't the logic of that if be simplified? I will have
> to dig a bit in the phpmailer.
>
> Anyway i will probably just add a note to the documentation, that if
> you have an authenticated SMTP server you need to input the parameters
> or set them in the configuration file.
>
>
var $smtpauth = '0';
var $smtpuser = '';
var $smtppass = '';
var $smtphost = 'localhost';
(this is on a local offline server and are pretty generic values, so no
worries about sharing this... I would say that most SMTP servers do not
have authentication... I guess there is a reason that authentication
wasn't more common from the outset, not sure what it was though :)
I'm guessing that $smtpauth is a flag which indicates whether or not to
use authentication. It seems like the if statement should be something
like:
if ( empty( $this->Host ) || ( ($this->SMTPAuth == 1) && empty(
$this->Username ) && empty( $this->Password ) ) {
return false;
} else {
return true;
}
maybe this should be submitted as a bug?
Ian
Daniel Mendes
that is why i asked all these questions.
I think it should be submitted as a bug, or should be explained if it
not a bug.
Also looking at the regex for isEmailAddress:
/[\w\.\-]+@\w+[\w\.\-]*?\.\w{1,4}/ i think that it should be
/[\w\.\-]+@\w+[\w\.\-]*?\.\w{2,4}/ since i don't know any one letter
domains and doubt there will ever be any.
I tested a similar regex here:
http://regexlib.com/RETester.aspx?regexp_id=21
Also looking at all the issues with email and at this page:
http://www.securephpwiki.com/index.php/Email_Injection
I have to ask if there are any plans to use all or parts of the zend
Framework in Joomla, I ask this because it seems that the issues is
solved in Zend_Mail, so i wonder if they are also solved in PHPMailer
(if it is then i don't see a reason for the clean Functions if it is
not I have to wonder why?). I am currently investigating the PHPMailer
library...
-Dan
Louis Landry
As for the email address regex... I agree that is unlikely that any one letter domains pop up... the RFC http://www.faqs.org/rfcs/rfc1035.html
Allows for single letter domains and I'd like to keep it as close to that as possible.
As for us using the zend framework... I doubt that will be the case, there is not a lot of that framework which we don't already have or have written locally for testing purposes. This is not to say that we will not use a part of the zend framework in the future.... just that at this point its not planned.
I'm sure your evaluation of the phpmailer script will be welcomed by both joomla users as well as phpmailer users.
Thanks for the time :)
Louis
Daniel MD
About the questions, i have reviewed the Zend framework, although it does provide more security out of the box than the joomla solution, it is less flexible, basically you can only add one address at a time, contrary to JMail/phpmailer where you can add multiple addresses using an array. So i think what we have is better than the Zend Framework, and with the helper functions just as secure.
About the domains regex, i think we should support at least 6 chars for the new tlds like museum, but it is up to you as the dev to do this or not.
Thanks for your reply,
Dan
Louis Landry
Louis
Daniel MD
one day there might be no TLDs at all now that would be really nice, since technically there is no limit to the number of combinations possible.
-Dan