L3Y Posted May 26, 2015 Report Posted May 26, 2015 Hi, I am sorry to open this as a bug request, but imho, this may become a security bug, if the person who configure the universal module don't want to configure the email notification, or just want to configure the notifications at a later time. In /components/modules/universal_module/universal_module.php i see those lines : if (!isset($vars['package_email_html'])) $vars['package_email_html'] = "{% debug %}"; if (!isset($vars['package_email_text'])) $vars['package_email_text'] = "{% debug %}"; if (!isset($vars['service_email_html'])) $vars['service_email_html'] = "{% debug %}"; if (!isset($vars['service_email_text'])) $vars['service_email_text'] = "{% debug %}"; As a result, if you forget to add your own tags, then it may send emails with the server SSL key, as well as the Blesta encryption key. The email is also stored in the Blesta logs, and i am not sure this is the correct place to store this kind of stuff. I would strongly recommend to add a feature in the config files to disable this tag, or at least to comment those lines, and give us the choice to enable this or not! Or maybe someone can explain why it's there and what's the exact purpose of this, because the debug logs sent by this tag do not seems to include anything that can help to diagnose template issue! This tag seems dangerous. Thank you for taking this into consideration! Cheers! Carl Quote
Tyson Posted June 5, 2015 Report Posted June 5, 2015 I don't think the debug tag should be set by default either. CORE-1696 will remove it. Michael 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.