Debug Tag Added By Default In The Universal Module

[L3Y]

Hi,

 

I am sorry to open this as a bug request, but imho, this may become a security bug, if the person who configure the universal module don't want to configure the email notification, or just want to configure the notifications at a later time.

 

In /components/modules/universal_module/universal_module.php i see those lines : 

 

if (!isset($vars['package_email_html']))

                        $vars['package_email_html'] = "{% debug %}";

                if (!isset($vars['package_email_text']))

                        $vars['package_email_text'] = "{% debug %}";

                if (!isset($vars['service_email_html']))

                        $vars['service_email_html'] = "{% debug %}";

                if (!isset($vars['service_email_text']))

                        $vars['service_email_text'] = "{% debug %}";

 

As a result, if you forget to add your own tags, then it may send emails with the server SSL key, as well as the Blesta encryption key.  The email is also stored in the Blesta logs, and i am not sure this is the correct place to store this kind of stuff.

 

I would strongly recommend to add a feature in the config files to disable this tag, or at least to comment those lines, and give us the choice to enable this or not!

 

Or maybe someone can explain why it's there and what's the exact purpose of this, because the debug logs sent by this tag do not seems to include anything that can help to diagnose template issue!

 

This tag seems dangerous. 

 

Thank you for taking this into consideration!

Cheers!

Carl

[Tyson]

I don't think the debug tag should be set by default either. CORE-1696 will remove it.