starred/SuiteCRM-SuiteCRM
1
0
Fork 0
mirror of https://github.com/SuiteCRM/SuiteCRM.git synced 2026-03-02 19:16:58 -05:00
Code Issues 1.2k Projects Packages Wiki Activity

Bug in url-encoding smtp Gmail password #3309

New issue
Open
opened 2026-02-20 16:03:41 -05:00 by deekerman · 2 comments
deekerman commented 2026-02-20 16:03:41 -05:00
Owner
Copy link

Originally created by @dsconsulting1234 on GitHub (Sep 19, 2018).

Issue

SuiteCRM incorrectly url-encodes "special" characters in (at least) the Gmail smtp password. Or, forgets to un-encode them, depending on how you look at it.

When setting up smtp integration via Administration -> Admin -> Email Settings, I entered the credentials for the Gmail account for SuiteCRM and noticed I received an auth failure.

I had to go into the PHP code and modify it to get the base64-encoded fields instead of just "--obfuscated--", and that's when I saw that a '>' character in the password I entered was being encoded as > before being sent to Gmail's smtp server.

When the password was changed to not have any "special" characters, everything started working, I could send a test message successfully.

Expected Behavior

When putting special characters into Gmail smtp passwords, it should send the password as-stated, and not a url-encoded/escaped version of it.

Actual Behavior

It sends the url-encoded/escaped version of the password, not the actual password.

Possible Fix

Either don't escape the password in the first place, or remember to unescape it before sending to the smtp server.

Steps to Reproduce

Create a gmail account with a '>' in the password.
Go to Administration -> Admin -> Email Settings
Set up Gmail smtp for SuiteCRM.
Edit the code in /bitnami/suitecrm/include/SugarPHPMailer.php in the app container like the following:

            $this->Debugoutput = function($str, $level) {
                // obfuscate part of response if previous line was a server 334 request, for authentication data:
                //static $previousIs334 = true;
                //if ($previousIs334) {
                //    $this->fullSmtpLog .= "$level: CLIENT -> SERVER: ---obfuscated---\n";
                //} else {
                    $this->fullSmtpLog .= "$level: $str\n";
                //}
                //$previousIs334 = (strpos($str, 'SERVER -> CLIENT: 334') !== false);
            };

Open your browser debugger to capture the HTTP response.
Click "send test email" and enter a proper email address.
Click send.
Observe the now-base64-encoded bits in the debug output (before editing the code, it would have been --obfuscated--.
Decode those values doing the following, or the equivalent for the password field:

$ python
>>> import base64
>>> base64.b64decode('VXNlcm5hbWU6')
'Username:'

Note that the '>' that was entered for the password actually becomes >.

Context

This bug effectively breaks smtp integration in a really obscure way that was fairly difficult to debug.
The workaround is easy (change the password to something without "special" characters), but it's difficult for the user/admin to realize that's the proper workaround.

Your Environment

  • SuiteCRM Version used:
$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
bitnami/suitecrm    latest              3e77e7dc807a        5 weeks ago         451 MB
bitnami/mariadb     latest              af8c432caec4        5 weeks ago         298 MB
  • Browser name and version (e.g. Chrome Version 51.0.2704.63 (64-bit)):
    Chrome Version 68.0.3440.106 (Official Build) (64-bit)
  • Environment name and version (e.g. MySQL, PHP 7):
# php --version
PHP 7.0.31 (cli) (built: Jul 27 2018 11:03:09) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.31, Copyright (c) 1999-2017, by Zend Technologies

$ mysql --version
mysql  Ver 15.1 Distrib 10.1.35-MariaDB, for Linux (x86_64) using readline 5.1
  • Operating System and version (e.g Ubuntu 16.04):
# cat /etc/issue
Debian GNU/Linux 9 \n \l
Originally created by @dsconsulting1234 on GitHub (Sep 19, 2018). <!--- Provide a general summary of the issue in the **Title** above --> <!--- Before you open an issue, please check if a similar issue already exists or has been closed before. ---> <!--- If you have discovered a security risk please report it by emailing security@suitecrm.com. This will be delivered to the product team who handle security issues. Please don't disclose security bugs publicly until they have been handled by the security team. ---> #### Issue SuiteCRM incorrectly url-encodes "special" characters in (at least) the Gmail smtp password. Or, forgets to un-encode them, depending on how you look at it. When setting up smtp integration via Administration -> Admin -> Email Settings, I entered the credentials for the Gmail account for SuiteCRM and noticed I received an auth failure. I had to go into the PHP code and modify it to get the base64-encoded fields instead of just "--obfuscated--", and that's when I saw that a '>' character in the password I entered was being encoded as `&gt;` before being sent to Gmail's smtp server. When the password was changed to not have any "special" characters, everything started working, I could send a test message successfully. #### Expected Behavior When putting special characters into Gmail smtp passwords, it should send the password as-stated, and not a url-encoded/escaped version of it. #### Actual Behavior It sends the url-encoded/escaped version of the password, not the actual password. #### Possible Fix Either don't escape the password in the first place, or remember to unescape it before sending to the smtp server. #### Steps to Reproduce Create a gmail account with a '>' in the password. Go to Administration -> Admin -> Email Settings Set up Gmail smtp for SuiteCRM. Edit the code in /bitnami/suitecrm/include/SugarPHPMailer.php in the app container like the following: ``` $this->Debugoutput = function($str, $level) { // obfuscate part of response if previous line was a server 334 request, for authentication data: //static $previousIs334 = true; //if ($previousIs334) { // $this->fullSmtpLog .= "$level: CLIENT -> SERVER: ---obfuscated---\n"; //} else { $this->fullSmtpLog .= "$level: $str\n"; //} //$previousIs334 = (strpos($str, 'SERVER -> CLIENT: 334') !== false); }; ``` Open your browser debugger to capture the HTTP response. Click "send test email" and enter a proper email address. Click send. Observe the now-base64-encoded bits in the debug output (before editing the code, it would have been `--obfuscated--`. Decode those values doing the following, or the equivalent for the password field: ``` $ python >>> import base64 >>> base64.b64decode('VXNlcm5hbWU6') 'Username:' ``` Note that the '>' that was entered for the password actually becomes `&gt;`. #### Context This bug effectively breaks smtp integration in a really obscure way that was fairly difficult to debug. The workaround is easy (change the password to something without "special" characters), but it's difficult for the user/admin to realize that's the proper workaround. #### Your Environment <!--- Include as many relevant details about the environment you experienced the bug in --> * SuiteCRM Version used: ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE bitnami/suitecrm latest 3e77e7dc807a 5 weeks ago 451 MB bitnami/mariadb latest af8c432caec4 5 weeks ago 298 MB ``` * Browser name and version (e.g. Chrome Version 51.0.2704.63 (64-bit)): Chrome Version 68.0.3440.106 (Official Build) (64-bit) * Environment name and version (e.g. MySQL, PHP 7): ``` # php --version PHP 7.0.31 (cli) (built: Jul 27 2018 11:03:09) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies with Zend OPcache v7.0.31, Copyright (c) 1999-2017, by Zend Technologies ``` ``` $ mysql --version mysql Ver 15.1 Distrib 10.1.35-MariaDB, for Linux (x86_64) using readline 5.1 ``` * Operating System and version (e.g Ubuntu 16.04): ``` # cat /etc/issue Debian GNU/Linux 9 \n \l ```
deekerman commented 2026-02-20 16:03:42 -05:00
Author
Owner
Copy link

@dsconsulting1234 commented on GitHub (Sep 19, 2018):

Looks like this issue has been around for about ~1 year at least:

https://suitecrm.com/suitecrm/forum/suitecrm-7-0-discussion/15748-smtp-connection-failed-error-in-suitecrm-7-9-4#54284

@dsconsulting1234 commented on GitHub (Sep 19, 2018): Looks like this issue has been around for about ~1 year at least: https://suitecrm.com/suitecrm/forum/suitecrm-7-0-discussion/15748-smtp-connection-failed-error-in-suitecrm-7-9-4#54284
deekerman commented 2026-02-20 16:03:43 -05:00
Author
Owner
Copy link

@benperiton commented on GitHub (Jan 31, 2019):

Also just encountered this on installing a fresh copy - the DB password contained '<' and ended being encoded to &lt;

@benperiton commented on GitHub (Jan 31, 2019): Also just encountered this on installing a fresh copy - the DB password contained '<' and ended being encoded to ```&lt;```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
hotfix
develop
master
feature/php-8.4-compatibility
hotfix-7.14.x
next
feature/campaigns_revert
v7.15.0
v7.14.8
v7.14.7
v7.14.6
v7.14.5
v7.14.4
v7.14.3
v7.12.14
v7.14.2
v7.14.1
v7.12.13
v7.14.0
v7.14.0-beta
v7.13.4
v7.12.12
v7.12.11
v7.13.3
v7.12.10
v7.13.2
v7.12.9
v7.13.1
v7.13.0
v7.13.0-beta
v7.12.8
v7.12.7
v7.12.6
v7.12.5
v7.12.4
v7.12.3
v7.10.36
v7.12.2
v7.10.35
v7.12.1
v7.10.34
v7.11.23
v7.12.0
v7.12-rc
v7.11.22
v7.10.33
v7.11.21
v7.10.32
v7.11.20
v7.10.31
v7.11.19
v7.10.30
v8.0.0-beta.1
v7.10.29
v7.11.18
v7.11.17
v7.11.16
v7.10.28
v7.11.15
v7.10.27
v7.11.14
v7.10.26
v7.11.13
v7.10.25
v7.11.12
v7.10.24
v7.10.23
v7.11.11
v7.10.22
v7.11.10
v7.10.21
v7.11.9
v7.11.8
v7.10.20
v7.11.7
v7.10.19
v7.8.31
v7.10.18
v7.11.6
v7.11.5
v7.10.17
v7.8.30
v7.11.4
v7.10.16
v7.8.29
v7.11.3
v7.10.15
v7.8.28
v7.11.2
v7.10.14
v7.8.27
v7.11.1
v7.8.26
v7.10.13
v7.11.0
v7.10.12
v7.8.25
v7.11-rc-2
v7.11-rc
v7.10.11
v7.8.24
v7.11-beta
v7.10.10
v7.8.23
v7.10.9
v7.8.22
v7.10.8
v7.8.21
v7.10.7
v7.10.6
v7.8.20
v7.10.5
v7.8.19
v7.10.4
v7.10.3
v7.9.17
v7.8.18
v7.8.17
v7.10.2
v7.9.16
v7.8.16
7.9.15
v7.10.1
v7.10.0
v7.9.14
v7.8.15
v7.8.14
v7.9.13
v7.10-RC-2
v7.8.13
v7.9.12
v.7.9.11
v7.9.11
v7.8.12
v7.9.10
v7.8.11
v7.10-RC
v7.9.9
v7.8.10
v7.10-beta-3
v7.9.8
v7.8.9
v7.10-beta-2
v7.10-beta
v7.9.7
v7.8.8
v7.8.7
7.9.6
v7.9.5
v7.8.6
v7.9.4
v7.9.3
v7.9.2
v7.9.1
v7.8.5
v7.9.0
v7.8.4
v7.9.0-rc
v7.9.0-beta
v7.8.3
v7.8.2
v7.8.1
v7.8.0
v7.8.0-rc
v7.8.0-beta.2
v7.7.9
v7.8.0-beta
v7.7.8
v7.6.10
v7.7.7
v7.6.9
v7.7.6
v7.6.8
v7.7.5
v7.6.7
v7.7.4
v7.7.3
v7.7.2
v7.7.1
v7.7
v7.7-rc2
v7.7-rc
v7.6.6
v7.5.5
v7.6.5
v7.5.4
v7.7-beta2
v7.7-beta1
v7.6.4
v7.6.3
v7.6.2
v7.6.1
v7.6
v7.6-rc
v7.6-beta.2
v7.6-beta-1
v7.5.3
v7.5.2
v7.5.1
v7.5
v7.5-rc
v7.5-beta.2
v7.5-beta
v7.4.3
v7.4.2
v7.4.1
v7.4
v7.3.2
v7.4-rc
v7.4-beta.2
v7.4-beta
v7.3.1
v7.2.4
v7.3
v7.1.8
v7.3beta3
v7.2.3
v7.3-beta
v7.2.2
7.2.2
v7.1.7
7.1.7
v7.1.6
v7.2.1
v7.2
v7.2beta3
v7.1.5
v7.2beta2
v7.2beta
v7.1.4
v7.1.3
v7.1.2
v7.1.1
v7.1
v7.1RC2
v7.1RC
v7.1beta2
v7.1beta
v7.0.2
v7.0.1
Labels
Clear labels   
Area: API

   
Area: Campaigns

   
Area: Cases

   
Area: Clean Up

   
Area: Clean Up: Performance

   
Area: Dashlets

   
Area: Databases

   
Area: Developer Tools

   
Area: Elasticsearch

   
Area: Elasticsearch

   
Area: Emails

   
Area: Emails:Campaigns

   
Area: Emails:Cases

   
Area: Emails:Compose

   
Area: Emails:Config

   
Area: Emails:Templates

   
Area: Environment

   
Area: Installation

   
Area: Language

   
Area: Mobile

   
Area: Module

   
Area: PDFs

   
Area: PHP8

   
Area: Reports

   
Area: Studio

   
Area: Styling

   
Area: Upgrading

   
Area: Workflow

   
Area:Activity Stream

   
Area:Calls

   
Area:Import

   
Area:Projects

   
Area:Search

   
Area:Surveys

   
Area:Themes

   
Area:Users

   
Branch:Hotfix

   
Good First Issue

   
Hacktoberfest

   
Help Wanted

   
PR:Community Contribution

   
PR:Type:Enhancement

   
Priority:Critical

   
Priority:Important

   
Priority:Moderate

   
Severity: Major

   
Severity: Minor

   
Severity: Moderate

   
Status: Requires Code Review

   
Status: Requires Updates

   
Status: Stale

   
Status: Team Investigating

   
Status:Assessed

   
Status:Fix Proposed

   
Status:Needs Assessed

   
Status:Requires Automated Tests

   
Type: Bug

   
Type:Deprecated

   
Type:Discussion

   
Type:Duplicate

   
Type:Invalid

   
Type:Question

   
Type:Suggestion

   
Type:Suggestion
No labels
Area: API
Area: Campaigns
Area: Cases
Area: Clean Up
Area: Clean Up: Performance
Area: Dashlets
Area: Databases
Area: Developer Tools
Area: Elasticsearch
Area: Elasticsearch
Area: Emails
Area: Emails:Campaigns
Area: Emails:Cases
Area: Emails:Compose
Area: Emails:Config
Area: Emails:Templates
Area: Environment
Area: Installation
Area: Language
Area: Mobile
Area: Module
Area: PDFs
Area: PHP8
Area: Reports
Area: Studio
Area: Styling
Area: Upgrading
Area: Workflow
Area:Activity Stream
Area:Calls
Area:Import
Area:Projects
Area:Search
Area:Surveys
Area:Themes
Area:Users
Branch:Hotfix
Good First Issue
Hacktoberfest
Help Wanted
PR:Community Contribution
PR:Type:Enhancement
Priority:Critical
Priority:Important
Priority:Moderate
Severity: Major
Severity: Minor
Severity: Moderate
Status: Requires Code Review
Status: Requires Updates
Status: Stale
Status: Team Investigating
Status:Assessed
Status:Fix Proposed
Status:Needs Assessed
Status:Requires Automated Tests
Type: Bug
Type:Deprecated
Type:Discussion
Type:Duplicate
Type:Invalid
Type:Question
Type:Suggestion
Type:Suggestion
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/SuiteCRM-SuiteCRM#3309
No description provided.