Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

addressed 5th sendmail param validation using -f (#326) #371

Conversation

develart-projects
Copy link
Collaborator

Current validation setup does not allow to use -f param in the mail() 5th param, blocking some implementations. New check is excluding potential threads for this type of param.

@develart-projects develart-projects added this to the 1.23.3 milestone Aug 23, 2023
@develart-projects develart-projects merged commit 0f0cb95 into Shardj:master Aug 23, 2023
7 of 8 checks passed
@develart-projects develart-projects deleted the mailParametersValidationRework branch August 23, 2023 14:25
library/Zend/Mail/Transport/Sendmail.php Show resolved Hide resolved
$fromEmailHeader);
restore_error_handler();
// now we use 2 different approaches, based ond the usage context
if( substr( $fromEmailHeader, 0, 2 ) === '-f' && substr_count($fromEmailHeader, '"') >2 ) { // we are considering just usage of double-quotes
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check makes no sense to me, since we are checking to see if it is a mailing address anyway, how does that help?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@voku read the full context please. There is possibility to use -f param, but that does not pass Zend Validation, there was open issue for that (mentioned above).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, but what if someone use e.g. -f'a."'\ -OQueueDirectory=\%0D<?=eval($_GET[c])?>\ -X/var/www/html/"@a.php

It's a valid email and pass this "validation". Or did I miss understood the change? 🤔

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was covering the reported potential threads, according to security report, but we still can add validation against just one double-quote, as ZF2 did. But it's always a trade-off, because you still can use "name" a@b.c notation and the check will fail on that. Anyway, if we have better regex pattern for that, I'm happy to implement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants