ownCloud password changed email is sent in Plain text

[davitol]

Steps to reproduce

1. As admin user create a new user introducing Username and e-mail
2. Log into the email, and set the password Please set the password by accessing it: Here
3. Check the ownCloud password changed email

Expected behaviour

'ownCloud password changed' email should be shown properly

Actual behavior

'ownCloud password changed' email is sent in plain text

Server configuration

Operating system:
Ubuntu 18.04
Web server:
Apache2
Database:
SQLite
PHP version:
7.1
ownCloud version: (see ownCloud admin page)
10.2.0
Updated from an older ownCloud or fresh install:
fresh

CC @patrickjahns @micbar

[patrickjahns]

@davitol
can you please provide the raw mail? Did you check with a different client ?
Also what method of transport for mails was used - any further debug information available?

[davitol]

Delivered-To: dtoledo@XXXX
Received: by 2002:a25:824f:0:0:0:0:0 with SMTP id d15csp1567784ybn;
        Fri, 17 May 2019 00:53:55 -0700 (PDT)
X-Received: by 2002:a1c:800f:: with SMTP id b15mr1202631wmd.46.1558079635875;
        Fri, 17 May 2019 00:53:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558079635; cv=none;
        d=google.com; s=arc-20160816;
        b=1K15LGQi6op216eroj1a7RnkBrxEZqLtDUFCmbz4wSnriZDHtwvap86ZuWSKHQBq6U
         PYcmnZKgT5lzhU9QqXsq5O2zhyOmDiRGCyQRyEGh4hcroLw+6MRldsSM+utl/Vd40LUD
         MJadxyPVnNWl+0QHLtUxOpnyKK3lWskGIGbeN4TEzBlAsebiLTrkCWkXWhezN+nBboah
         NBKBt8D43yhJGU3CsLsa1VxD6PVHcSk6ItcUR6ZvsBY8wGQLEmTovqNpVwOAFLUYs6m4
         2SgUPYt1W9/teJDBsu0pr4+ClG35DUwmzPRAjsjIlk/J0ogUWbo2SDvnv8TdUhEbJaXo
         z8fQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:to:from:subject:date
         :message-id:dkim-signature;
        bh=1UZ/8/LJVIeQPuA5PO7T3tlc6zoHJA7IezOHZIVOVOg=;
        b=rN7TbylTqqaIi80YEhUzByCkHNHlaFm2Q+/M1EkJGEB2gOryuubtQNX2jwIHtnavHS
         5vNlhUn51faLjpswvgtfryP79F5AbR7INjOI5M+jT8GrgVPTQfHeepY2CfEb3jCFsnqS
         EY711wX/2aZI68MRChvJm0AWkV0tcKffwNuAGvO3uj3XnYyqGj//Fl6TnKyW/QTbVUyh
         4v83XAZi1pL4ll31Dz/qucuTEAUYaBGk6Wj9S4A/svu4OU44fWbaLqWdJpnlOyOXKP0V
         20pBCqhdPLsJotB4Lv34Up2zTZBr/mzlQHK/IuYYw/QS2pRvBUmb/IGCA8H5WetKBBL3
         07nQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=mzkQrrX4;
       spf=pass (google.com: domain of owncloud@XXXX designates 209.85.220.41 as permitted sender) smtp.mailfrom=owncloud@XXXX;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <owncloudsg@gmail.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
        by mx.google.com with SMTPS id a15sor703703wmd.11.2019.05.17.00.53.55
        for <dtoledo@XXXXX>
        (Google Transport Security);
        Fri, 17 May 2019 00:53:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of owncloudsg@gmail.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=mzkQrrX4;
       spf=pass (google.com: domain of owncloudsg@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=owncloudsg@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=message-id:date:subject:from:to:mime-version
         :content-transfer-encoding;
        bh=1UZ/8/LJVIeQPuA5PO7T3tlc6zoHJA7IezOHZIVOVOg=;
        b=mzkQrrX4Nqv2mcI4XuLO4ZxBVsp6XJJigElC1IAnzWmCU1vFfKNjZBmP5bat66485L
         TO17vX474KCc/HhA5u75iIyjj3feQ1J+qck8fzc6FFn4vaJKCB2cnCnP7oDfxINWEKwp
         bGkr9XV+Y0gvIGtZxUOxnbYzYcRMq3Jcrr/rrJeNfsPF+52ca9aCTX/s88VQ612KRFRR
         JOBzJHRiSc6BAvTuE+BKQC2EGuQDPpPBs84T9ovtLBfiA744MO0kKDcflEZKp0bdVMDp
         uwCNPzgjhRIBbHQh8Hb9qoC7YgU/VNGSx93rz+/Rg+lXwbhv/0VXC1avXl17+tILJJnE
         yJLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:message-id:date:subject:from:to:mime-version
         :content-transfer-encoding;
        bh=1UZ/8/LJVIeQPuA5PO7T3tlc6zoHJA7IezOHZIVOVOg=;
        b=ZJQGjdEt8XhmV26SeZEtR9wffOZciIU61slYJmMmleiiLVshziZ2hBuDiLLuD0mvQN
         NBS2yOU7uSuP2l2nf+mKiQHJpvq+nKxhE8k8EEvkfPSgW35z0VFolmMnVNTNnCpQc1vL
         cwuit3BBLGATkndRTeMJ7A+nitCDhhuAwwHBQiSTXzjjd7Xw6HRLqn8GPw4ju3l2C1L2
         7k711D77bBm8muBdlgkqVFaGASd/p80g+mXPWZghV5mKzxFVegJiZOJpIjhNKW7AWKWB
         B/rfG1v+2f4HCYhsQMLJXK9Wzr1R763p6TAWn628MdNGvRa5hta2HV+qOxPNDB5khFJU
         LymQ==
X-Gm-Message-State: APjAAAVg6jZFC0y7PBVx4SmO4dWMf1FHF4dS9ldkClWh/vahq8lh7b32 nWLxl2jeo8ivATz+Kx5FF5hnqRE3
X-Google-Smtp-Source: APXvYqylQOi79bdFYwAYQnSxwikwVzU+UhMgaM30tzwWi43O2LibZNgI5i0Lnerm9LLTPooGa3XKRQ==
X-Received: by 2002:a1c:6a0e:: with SMTP id f14mr6034975wmc.69.1558079635519;
        Fri, 17 May 2019 00:53:55 -0700 (PDT)
Return-Path: <owncloud@XXXX>
Received: from [10.40.40.222] (79.pool85-57-168.dynamic.orange.es. [85.57.168.79])
        by smtp.gmail.com with ESMTPSA id e8sm17218798wrc.34.2019.05.17.00.53.54
        for <dtoledo@XXXX>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 17 May 2019 00:53:55 -0700 (PDT)
Message-ID: <36160de28638e69d5db5fed809dbe822@10.40.40.222>
Date: Fri, 17 May 2019 07:53:54 +0000
Subject: ownCloud password changed successfully
From: ownCloud <owncloud@XXXX>
To: ele <dtoledo@XXXX>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" width=3D"100%">
=09<tr><td>
=09=09=09<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" width=3D"6=
00px">
=09=09=09=09<tr>
=09=09=09=09=09<td bgcolor=3D"#fff" width=3D"20px">&nbsp;</td>
=09=09=09=09=09<td bgcolor=3D"#fff">
=09=09=09=09=09=09<img src=3D"http://10.40.40.222:9681/apps/theme-enterpris=
e/core/img/logo-mail.gif" alt=3D"ownCloud"/>
=09=09=09=09=09</td>
=09=09=09=09</tr>
=09=09=09=09<tr><td colspan=3D"2">&nbsp;</td></tr>
=09=09=09=09<tr>
=09=09=09=09=09<td width=3D"20px">&nbsp;</td>
=09=09=09=09=09<td style=3D"font-weight:normal; font-size:0.8em; line-heigh=
t:1.2em; font-family:verdana,'arial',sans;">
=09=09=09=09=09=09Password changed successfully=09=09=09=09=09</td>
=09=09=09=09</tr>
=09=09=09=09<tr><td colspan=3D"2">&nbsp;</td></tr>
=09=09=09=09<tr>
=09=09=09=09=09<td width=3D"20px">&nbsp;</td>
=09=09=09=09=09<td style=3D"font-weight:normal; font-size:0.8em; line-heigh=
t:1.2em; font-family:verdana,'arial',sans;">
=09=09=09=09=09=09--<br>
ownCloud -
Your Cloud, Your Data, Your Way!<br><a href=3D"https://owncloud.com">https:=
//owncloud.com</a>
=09=09=09=09=09</td>
=09=09=09=09</tr>
=09=09=09=09<tr>
=09=09=09=09=09<td colspan=3D"2">&nbsp;</td>
=09=09=09=09</tr>
=09=09=09</table>
=09=09</td></tr>
</table>

Tested with a gmail and a hotmail account, opened via browser (Mozilla Firefox and Safari)

[davitol]

<?php
$CONFIG = array(
  /* ... */
    'mail_smtpname' => 'owncloudXXX@gmail.com',
    'mail_from_address' => 'owncloudXXX',
    'mail_smtppassword' => 'XXXXX',
    'mail_smtpmode' => 'smtp',
    'mail_smtpauth' => true,
    'mail_smtpauthtype' => 'LOGIN',
    'mail_smtphost' => 'smtp.gmail.com',
    'mail_smtpport' => '587',
    'mail_domain' => 'gmail.com',
    'mail_smtpsecure' => 'tls',
   /* ... */
);

[patrickjahns]

Can confirm - tested with 10.2 and mailhog

Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=utf-8
Date: Fri, 17 May 2019 08:55:20 +0000
From: ownCloud <noreply@mailhog>
MIME-Version: 1.0
Message-ID: <eea5237b47b2e3dade2e836328f108df@localhost>
Received: from localhost by mailhog.example (MailHog)
          id 0z2IvUjlIGm80ct947lVNtkCfFPVf4qDvS8m0RbO6fo=@mailhog.example; Fri, 17 May 2019 08:55:20 +0000
Return-Path: <noreply@mailhog>
Subject: ownCloud password changed successfully
To: blubb <blubb@test.de>

<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" width=3D"100%">
=
=09<tr><td>
=09=09=09<table cellspacing=3D"0" cellpadding=3D"0" border=3D=
"0" width=3D"600px">
=09=09=09=09<tr>
=09=09=09=09=09<td bgcolor=3D"#1d=
2d44" width=3D"20px">&nbsp;</td>
=09=09=09=09=09<td bgcolor=3D"#1d2d44">=

=09=09=09=09=09=09<img src=3D"http://localhost:8080/core/img/logo-mail.g=
if" alt=3D"ownCloud"/>
=09=09=09=09=09</td>
=09=09=09=09</tr>
=09=09=
=09=09<tr><td colspan=3D"2">&nbsp;</td></tr>
=09=09=09=09<tr>
=09=09=09=
=09=09<td width=3D"20px">&nbsp;</td>
=09=09=09=09=09<td style=3D"font-wei=
ght:normal; font-size:0.8em; line-height:1.2em; font-family:verdana,'arial'=
,sans;">
=09=09=09=09=09=09Password changed successfully=09=09=09=09=09</=
td>
=09=09=09=09</tr>
=09=09=09=09<tr><td colspan=3D"2">&nbsp;</td></tr=
>
=09=09=09=09<tr>
=09=09=09=09=09<td width=3D"20px">&nbsp;</td>
=09=
=09=09=09=09<td style=3D"font-weight:normal; font-size:0.8em; line-height:1=
.2em; font-family:verdana,'arial',sans;">
=09=09=09=09=09=09--<br>
ownC=
loud -
A safe home for all your data<br><a href=3D"https://owncloud.org">=
https://owncloud.org</a>
=09=09=09=09=09</td>
=09=09=09=09</tr>
=09=
=09=09=09<tr>
=09=09=09=09=09<td colspan=3D"2">&nbsp;</td>
=09=09=09=09=
</tr>
=09=09=09</table>
=09=09</td></tr>
</table>

[davitol]

So it is a regression

[tomneedham]

I see we have two methods in the code for sending the password reset email:

• https://github.com/owncloud/core/blob/master/settings/ChangePassword/Controller.php#L70 for internal resets
• https://github.com/owncloud/core/blob/master/core/Controller/LostController.php#L259 for external resets

[micbar]

and here

• https://github.com/owncloud/core/blob/release-10.2.0/settings/Controller/UsersController.php#L721
  This causes the bug, because the template changed.

https://github.com/owncloud/core/pull/34498/files

[patrickjahns]

@sharidas - is the issue fixed? Can this be closed?

[sharidas]

The PR related to this issue:

• Changes to master branch Use html body for message sent via email for password change owncloud-archive/user_management#181 merged
• Changes to stable10 branch Use html body for message sent via email for password change #35260 merged

@sharidas - is the issue fixed? Can this be closed?

@patrickjahns The changes have been merged, yes this issue can be closed.