How about to use Bootstrap and make UI more friendly ? Personally, I am willing to participate on rebuilding if there is a will. What do you guys think ?

Let me know... Thanks

During packaging of phpList for Debian I've noticed that public_html/lists/admin/js/progressbar.js ¹ is non-free because its redistribution is prohibited, see
http://www.dynamicdrive.com/notice.htm

Please consider removing proprietary script. Thanks.

Has anyone tried to make this project use SQLite rather than MySQL?

(And/or, is that a goal of the phplist 4 rewrite?)

Short problem description

A plugin URL is going 403 and I can't found why. I "solve" the issue by adding connector.php on this line:

Steps to reproduce

From the editor, I go to the image server browsing, calling this url:

https://mailing.site.org/lists/admin/plugins/fckphplist/fckeditor/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F&uuid=1530137988035

Expected behaviour

The URL should be accessible.

Actual behaviour

[Thu Jun 28 00:45:41.966389 2018] [authz_core:debug] [pid 13187] mod_authz_core.c(809): [client 90.110.6.214:43194] AH01626: authorization result of Require all denied: denied
[Thu Jun 28 00:45:41.966482 2018] [authz_core:debug] [pid 13187] mod_authz_core.c(809): [client 90.110.6.214:43194] AH01626: authorization result of <RequireAny>: denied
[Thu Jun 28 00:45:41.966568 2018] [authz_core:error] [pid 13187] [client 90.110.6.214:43194] AH01630: client denied by server configuration: /var/www/site.org/mailing/current/web/lists/admin/plugins/fckphplist/fckeditor/editor/filemanager/connectors/php/connector.php

If there are any error messages, please include those as well.

System configuration

Package version

3.3.1

PHP and Composer version

PHP 7.2.5-0ubuntu0.18.04.1 (cli) (built: May  9 2018 17:21:02) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.5-0ubuntu0.18.04.1, Copyright (c) 1999-2018, by Zend Technologies

Composer version 1.6.3 2018-01-31 16:28:17

Apache (2.4) configuration

<VirtualHost *:443>
    ServerName mailing.site.org
    DocumentRoot /var/www/site.org/mailing/current/web

    <Directory "/var/www/site.org/mailing/current/web">
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/mailing.site-error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel debug

    CustomLog ${APACHE_LOG_DIR}/mailing.site-access.log combined

    Include /etc/apache2/sites-ssl/site-org.ssl.conf
    Include /etc/apache2/letsencrypt.conf
</VirtualHost>

Hi there,
I'm having problem with the https://github.com/phpList/phplist3/blob/release-3.3.3/public_html/lists/admin/subscribelib2.php#L256

Above which it says "//# hack attempt..."

I'm sr. programmer (to give some context) but php newbie. What happens baffles me.

If I use code as is. I'm able to subscribe using phpList UI; however when I do it using "asubscribe" and my fancy ajax - the user is created and subscribed to the list (both user_user and listuser tables are updated); however the confirmation email is not sent to the user nor is a copy to admin.

I narrowed down the problem to the above mentioned code. If I comment out "exit;" on line 256 everything works perfectly. I receive all the emails.

Out of curiosity, I decided to debug it line-by-line old school way: printing out messages after each line of code (I'm sure there is a better way, but I don't know at this point how else you can debug site on a shared hosting.) Anyways to my surprise, ALL my request where falling into first part of the if fork. So, the condition on line 247 always evaluates to true. All the lines inside the first part of the if fork execute successfully, without any error.

That doesn't make any sense to me as a developer. If it never falls into the "else" clause there is no need to comment out "exit;" on line 256. But without commenting out I have the issue where the confirmation emails are not sent.

Sounds paradoxical to me, even though I got use to things like that. Or perhaps, my luck of php knowledge is the problem.

Please shed some light on the issue. Why it is behaving this way?

The current composer.json does not allow PHP 7.2.

Here is any reason for that? PHP 7.2 is backward compatible against PHP 7.1 according to semver.

https://github.com/phpList/phplist3/blob/master/public_html/lists/index.php#L257

any documentation on how to use it.

it always return FAIL for me.

type: POST
url: /my-website/lists/?p=asubscribe
and data: {email: [email protected], list{"3": "signup"}}

As some other I got trouble on upgrading to 3.3.1 with statistic view, with corrupted uniqid.

And I surprise that uniqid is in varchar(255) shouldn't be better to change to varchar(32)

Changes to the DB structure/schema must always be done in both version 3 https://github.com/phpList/phplist3 and version 4 https://github.com/phpList/phpList .

i am able to batch process a big list ?
i want to send message to 300 subs everyday of my big list of 50.000.
every day next 300 ones.
possible ???

While testing locally, I noticed a link to the unsubscribe page was pointing to the real hosted site instead of the local site.
This link (for example) traces back to the value of "website" in the db table phplist_config.
I believe the database should be 100% portable and anything installation-specific should be in the config FILE.
Having this constant in the database renders the database non-portable and makes all links based on this constant incorrect as per my first observation.
I would extend this point of view to other parameters in the admin configuration like email server and admin email addresses to use, to allow a fully independent installation to be used for testing, so requiring NO database modifications/changes when importing a production database to a development/local environment for functionality testing.

Currently the Update translations page presents too much information because it lists all languages, not just those whose translations have been installed. Further, only one language, the current one, can be updated and that link can be hard to see within the overall list.

I have a few suggestions

• show only those languages that have been installed
• replace the two similar labeled date fields (last updated and last modified) with a message indicating whether new translations are available
• use a Webbler listing so that the information structure is clearer
• allow any installed language to be updated, not just the currently selected language

I update from PHP5 to PHP7.1 on a running phplist installation. After the update i've got logged-out on every click after a successful login with the reason "invalid session token".

I tested with PHP sessions and session tables as well, the behavior was still the same.
Finally I found out that adding a @session_start() at the beginning of admin/index.php fixes the issue.

Environment: phplist 3.3.1, php 7.1.11, apache 2.4.26

@michield There is a runcommand page, file admin/runcommand.php, that appears to restricted to run only from the command line. It refers to $_GET though, in particular $_GET['command']. How is that set?

When I use .htaccess file with this line ('Mitigate the risk of cross-site scripting and other content-injection attacks' as shown in Apache Server Configs v2.15.0 | MIT License -> https://github.com/h5bp/server-configs-apache):

<IfModule mod_headers.c> Header set Content-Security-Policy "script-src 'self'" </IfModule>

The error is this: "all.min.js?v=1487027292:83 Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

(anonymous) @ all.min.js?v=1487027292:83"

Thanks for your excelent work.

I changed the themes from dressprow to Travelin and login again then,There is repeated popup "Initialising phpList in your language, please wait." .. and moreover submenu names in header is changed .. i tried couple of times reinstalling the phplist with new database but still could not resolve this issue , I am surprised no one has posted this issue till yet .
Can you figure it out whats can be done here ?

On the start page of my PHPList page, there is an image:

http://powered.phplist.com/images/3.0.5/power-phplist.png

However, as my site is HTTPS, having this HTTP-served image results in mixed-content warnings. There should either be a HTTPS version of the page/image, and the image src should use that, or the image should be served locally, not from the powered.phplist.com server.

Mixed-content warnings result in the page not being marked as secure by (at least) Chrome: https://arstechnica.com/information-technology/2015/10/chrome-finally-kills-off-the-http-https-mixed-content-warning/

This is with PHPList 3.0.5.

In table 'phplist_message', there is a 'processed' field, which is UNSIGNED MEDIUMINT(8).
This limits the number of recipients to 16777215 (see EDIT below), however this is not really a problem.

The thing is that other fields regarding number of processed recipients use INT: astext, ashtml, viewed, bounced etc. Their values should never exceed the 'processed' field, so this is mistake for sure.

The type of field comes most likely from https://github.com/phpList/phplist3/blob/master/public_html/lists/admin/structure.php
'processed' => array('mediumint unsigned default 0', 'Number Processed'), 'astext' => array('integer default 0', 'Sent as text'), 'ashtml' => array('integer default 0', 'Sent as HTML'), 'astextandhtml' => array('integer default 0', 'Sent as Text and HTML'), // obsolete 'aspdf' => array('integer default 0', 'Sent as PDF'), 'astextandpdf' => array('integer default 0', 'Sent as Text and PDF'), 'viewed' => array('integer default 0', 'Was the message viewed'),

Screenshot from phpmyadmin:

EDIT: actually, the 'processed' field is increased during each iteration on any recipient. When using domain throttling or there is any other reason to fail, one mail address will be processed many times. Therefore the issue is even more valid, since the processed number can be many times larger than number of sent messages.

$ cat current/web/lists/admin/plugins/fckphplist/fckeditor/editor/filemanager/connectors/phplist/.htaccess
<FilesMatch "\.(php|inc)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "(connector.php|upload.php)$">
Order allow,deny
allow from all
</FilesMatch>

The .htaccess file of the plugin is not Apache 2.4 compatible and throw this error:

AH01630: client denied by server configuration:

While uploading an image.

We should check if the plugin did fix this issue and then update it.

FYI, the correct .htaccess for Apache 2.4:

<FilesMatch "\.(php|inc)$">
Require all denied
</FilesMatch>
<FilesMatch "(connector.php|upload.php)$">
Require all granted
</FilesMatch>

I've followed the instructions to install the latest version (checked out using svn)- I successfully installed and logged into the web however there seems to be no CSS formatting whatsoever on the webapp and I just see pure HTML. Not sure if I need to define a theme or something.

Please document origin, copyright and license for images in

• public_html/lists/images/smiley
• public_html/lists/admin/ui/dressprow/images/*x*

It is unlikely that those icon set and smiles are under AGPL-3...

Any meaningful marketing mail sent today is basically forced to inline CSS in order to deliver the expected view experience in the vast variety of mail clients.

Currently an editor can create a new newsletter in the wysiwyg editor (eg TinyMCE). Even if the template itself already uses proper inlined CSS, the content created by the editor still does not get the inlined CSS of course. (eg headings, hr, etc)

I would really appreciate if you could include such a functionality. Some possible PHP implementations (looking rather up to date) for inlining are:

• https://github.com/jjriv/emogrifier
• https://github.com/christiaan/InlineStyle
• https://github.com/tijsverkoyen/CssToInlineStyles/

Looking forward to your feedback on that matter.
Thanks

Hi there,

For me, it is a gray area if we should consider it a bug, a design flaw, or a feature request. If you don't agree that it is an issue, please move it to a proper place, or let me know and will recreate it elsewhere.

So in the root folder of my website I have .htaccess file, to which I added the following snippet
RewriteEngine On RewriteCond %{REQUEST_URI} ^/phplist/admin RewriteCond %{REMOTE_ADDR} !=x.x.x.x RewriteRule ^(.*)$ - [R=403,L]
This lets me access the admin section only from my IP and significantly decrease the angles of possible attacks from the bad boys and girls.

However, when I do that the subscriber facing UI looses all the formatting and style. At first I thought I'll do a quick workaround by just copying all the js and css from admin a level up and change the references in index.php. But after quick inspection I doesn't look like it is an easy workaround. The subscriber UI and admin parts are tightly coupled. And untangling them will be a big effort.

Please consider this for future releases. And I will be grateful if anyone has ideas on how to secure Admin without sacrificing Subscriber's UI.

It is unable to choose a list to exclude. I use latest git master.

At line 400 of admin/send_core.php some bad html. I think that it meant to be either <br/> or <hr/>.

  if ($sendtest) {
      $sendtestresult = '<r/>';
      if (empty($_SESSION['lasttestsent'])) {
          $_SESSION['lasttestsent'] = 0;
      }

If I would want to make a contribution, and the contribution is licensed under AGPL (like PHPLiist itself, perhaps even AGPL 3 or later, not 3 only), would the contribution be possible?

I ask because I'm not sure if the CLA you have would allow this.

The function removeXss() in admin/inc/magic_quotes.php always htmlspecialchars() $_POST, $_GET etc for public pages

function removeXss($string)
{
    if (is_array($string)) {
        $return = array();
        foreach ($string as $key => $val) {
            $return[removeXss($key)] = removeXss($val);
        }
        return $return;
    }
    //$string = preg_replace('/<script/im','&lt;script',$string);
    $string = htmlspecialchars($string);
    return $string;
}

This results in text values, such as a company attribute, that include an & character being corrupted.
So entering M&S gets stored as M&S in the database. Then is displayed as M&S on the preferences page and if submitted is then stored as M&S in the database.

I'm not knowledgeable about how to avoid XSS but cannot believe that htmspecialchars() every parameter is necessary.

Tools like https://topol.io/ automatically include required <meta/>-tag's in the HTML content to assure all platforms will render the mail well.
Are there any plans to include these <meta/>-tag's in mails sent with phplist3?
Example mail of topol,io containing the <meta/>-tags, and even more:
email_topol_io_example.txt

Currently using v3.3.1
Also reproducable here: https://demo.phplist.org/lists/admin/?page=send&id=17&tk=8bfe0f549ad22bae4293df47087e912a

phplist currently uses unsalted single round hashes for admin and user passwords alike (with the option to disable hashing entirely for user passwords so it can be sent to them in an email instead of a change password link if i recall correctly).

I propose the following:

1. Replacing all password handling with password_hash() and password_verify() functions, This will increase the minimum version requirement to php5.5.
   1.1 If this minimum version requirement is not acceptable then including the userland implementation would lower the requirement to "PHP >= 5.3.7 OR a version that has the $2y fix backported into it (such as RedHat provides)".
2. Use the constant PASSWORD_DEFAULT in the phplist configuration. This means phplist will automatically use improved algorithms (as the PHP constant changes) without configuration or code changes, currently Blowfish with a work factor of 10.
3. deprecate and immediately remove plaintext password storage option for user passwords.
4. deprecate and remove at a later date (2 releases?) backwards comparability with passwords stored in the current scheme.

I have started work in this direction for admin passwords here. So far this handles upgrading old/current password hashes to the proposed scheme (and upgrading passwords in the proposed scheme to the new value of PASSWORD_HASH if/when it changes in a future php release), but the "forgot password" options still write the old/current password hashes into the database and i have not touched user passwords.

I would suggest we remove the backwards compatibility for old hashes ASAP, if the user has not logged in when both are supported they can use the forgot password option to reset their password (overwriting the unsupported hash).

https://tools.ietf.org/html/rfc6530

Chars like spanish accents should be accepted.

Sorry if I am sending this question over there instead posting an issue.
Is it there any way to send transaction emails such as "Opt-In Confirmation email", "Subscription Confirmation email" and "Unsubscription confirmation email" to be able to send them in HTML instead PlainText?

In case someone is interested in using this - or to adapt it to phplist core i've built a script which checks and marks bounces / blacklists users - parsing AWS SNS notifications which SES sends when mail delivery failed.

I needed to do this as the standard bounces checking mechanism did not seem to work with SES - i've never received a single bounced email.

Here it is: miraclebg@e2f2f26

:)

The LICENSE file with the GPL is currently missing.

Hi there,

I didn't try that. But by just thinking about it, it doesn't look like this combination will work. I mean you would have to do other calls (which I don't see and API for) to display and process captcha before posting to asubscribe.

If the above is true, should one just roll it's own captcha integration or the built-in plugin can be leveraged somehow?

Thanks

https://github.com/phpList/phplist3/blob/master/public_html/lists/index.php#L265

This is a "small version" of #136.

If I would like to make a contribution, and the contribution is licensed under AGPL (like PHPLiist itself, perhaps even AGPL 3 or later, not 3 only), would the contribution be possible?

I ask because I'm not sure if the CLA you have would allow this.

If you answer, please do a full quote of my question in your answer.

php sleep() function keeps the script active and so any simultaneous access to the website from the same computer will likely be very slow. A meta refresh or perhaps another type of scripting for the delay would behave as idle and not remain active, freeing resources.
So header would contain something like;
<META HTTP-EQUIV="Refresh" <?php echo"CONTENT=\"$delay; URL=$site_url/lists/admin/?page=processqueue\"; ?>">

This pull request #298 has an error

    Sql_Query(sprintf('update %s set viewed = 0 where messageid = %d', $GLOBALS['tables']['message'], $messageid));

It should be referring to the id column of the message table.

Do you follow some Coding Style conventions?

I would recommend to follow at least PSR-1/2 and maybe Symfony conventions.

I can propose some automatic tools to help with it.

Tell me if you are interested. 👍

When entering help AJAX return a 500 error
url is example.com/lists/admin/help/?topic=message&ajaxed=true&page=pageaction&action=

I just upgraded from previous version, I don't know if this error existed before. I checked for error logs but none found.

Any hint?
Thanks

I've been trying to find some info regarding tweaking further the construction of the table block within the subscription pages without success so far. Read https://www.phplist.org/manual/ch025_subscribe-page-design-and-configuration.xhtml and linked pages but did not find any info regarding.

I can think this code is generated at: public_html/lists/admin/subscribelib2.php but not sure.

I can see the attributes inputs include a class assigned with the attribute id (ie <input type="text" name="attribute31" ..."

but It would be of great help in order to design the page with css and have further personalization options that that class was also included within the TR so "anything" of that row could be personalized. It makes sense for CSS personalization to start on the first level as that would allow me to tweak the tr itslelf or any of their containing items, including input, select or label. Furthermore a "label" and "input" or value on each of the corresponding td would also help alltough can be done with nth position.

Happy to consider helping on it if all that construction is centralised on a certain file or function.

Thanks.

Hello.

Just downloaded and uploaded phpList3.

I uploaded "lists" directory to www.domain.com/phplist but when clicking in some links in admin, it tries to go to "www.domain.com/lists" !

Is dir. name hardcoded ?

--- public_html/lists/admin/PHPMailer/class.phpmaileroauthgoogle.php	Fri Jan 16 08:56:28 1970
+++ public_html/lists/admin/PHPMailer/class.phpmaileroauthgoogle.php	Fri Jan 16 08:56:28 1970
@@ -51,10 +51,10 @@
 
     private function getProvider()
     {
-        return new League\OAuth2\Client\Provider\Google([
+        return new League\OAuth2\Client\Provider\Google(Array(
             'clientId' => $this->oauthClientId,
             'clientSecret' => $this->oauthClientSecret
-        ]);
+        ));
     }
 
     private function getGrant()
@@ -66,7 +66,7 @@
     {
         $provider = $this->getProvider();
         $grant = $this->getGrant();
-        return $provider->getAccessToken($grant, ['refresh_token' => $this->oauthRefreshToken]);
+        return $provider->getAccessToken($grant, Array('refresh_token' => $this->oauthRefreshToken));
     }
 
     public function getOauth64()
--- public_html/lists/admin/PHPMailer/get_oauth_token.php	Fri Jan 16 08:56:28 1970
+++ public_html/lists/admin/PHPMailer/get_oauth_token.php	Fri Jan 16 08:56:28 1970
@@ -80,24 +80,24 @@
 
         $params = array_merge(
             parent::getAuthorizationParameters($options),
-            array_filter([
+            array_filter(Array(
                 'hd'          => $this->hostedDomain,
                 'access_type' => $this->accessType,
-		'scope'       => $this->scope,
+                'scope'       => $this->scope,
                 // if the user is logged in with more than one account ask which one to use for the login!
                 'authuser'    => '-1'
-            ])
+            ))
         );
         return $params;
     }
 
     protected function getDefaultScopes()
     {
-        return [
+        return Array(
             'email',
             'openid',
             'profile',
-        ];
+        );
     }
 
     protected function getScopeSeparator()

PHPMailer_diff.txt

This is a blocker for #138.

A UUID is not being generated when someone subscribes. That seems to be the only place where that is the case. Adding a user through the admin interface does generate the UUID, as does adding a user when sending a test message.

Hi,
I'm trying to run the latest git version from the master branch and the packaged version available for download on the site with Nginx and PHP-FPM 7.1.

The /admin/index.php page loads correctly, then I click on the "Initialise Database" link and I get sent to /admin/?page=initialise&firstinstall=1&tk=623eb2151a1586d89cd12484397a490e, where I get this:

Database error 1146 while doing query Table 'phplist.phplist_subscribepage' doesn't exist
Database error 1146 while doing query Table 'phplist.phplist_subscribepage' doesn't exist
Database error 1146 while doing query Table 'phplist.phplist_subscribepage' doesn't exist
Unsubscribe from our Newsletters

There's nothing in the error log.

I've tried to debug a little, but honestly I'm a bit lost in your code.

Why would phplist ask for phplist_subscribepage to exist if it is not installed yet? Any quick solution to this, or should I debug more?

The release here https://github.com/phpList/phplist3/releases/tag/phplist-3.3.0 doesn't include the further fix I provided for replacing the '-4' sequences in the UUIDs. Currently links in text emails will be broken due to replacing one character by two.
This is the fix I submitted to branch dev33 to replace the single statement at line 630

                    $masked = $linkUUID . $cached[$messageid]['uuid'] . $userdata['uuid'];
                    $uuidLength = strlen($linkUUID);
                    $masked[14] = substr(bin2hex(random_bytes(1)), 0, 1);
                    $masked[$uuidLength + 14] = substr(bin2hex(random_bytes(1)), 0, 1);
                    $masked[$uuidLength * 2 + 14] = substr(bin2hex(random_bytes(1)), 0, 1);