Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

addressed 5th sendmail param validation using -f (#326) #371

Merged
merged 1 commit into from
Aug 23, 2023
Merged

addressed 5th sendmail param validation using -f (#326) #371

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 23 additions & 11 deletions library/Zend/Mail/Transport/Sendmail.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,19 +137,31 @@ public function _sendMail()
}
// Sanitize the From header
// https://github.com/Shardj/zf1-future/issues/326
// this is just quick-fix, we need to agree on how to sanitize all potential params used as 5th param to mail()
if ( empty($fromEmailHeader) === FALSE && Zend_Validate::is($fromEmailHeader, 'EmailAddress') === FALSE) {
throw new Zend_Mail_Transport_Exception('Potential code injection in From header');

if ( empty($fromEmailHeader) === FALSE ) { // nothing to worry about
develart-projects marked this conversation as resolved.
Show resolved Hide resolved
goto processMail;
}

set_error_handler([$this, '_handleMailErrors']);
$result = mail(
$recipients,
$subject,
$body,
$header,
$fromEmailHeader);
restore_error_handler();
// now we use 2 different approaches, based ond the usage context
if( substr( $fromEmailHeader, 0, 2 ) === '-f' && substr_count($fromEmailHeader, '"') >2 ) { // we are considering just usage of double-quotes
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check makes no sense to me, since we are checking to see if it is a mailing address anyway, how does that help?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@voku read the full context please. There is possibility to use -f param, but that does not pass Zend Validation, there was open issue for that (mentioned above).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, but what if someone use e.g. -f'a."'\ -OQueueDirectory=\%0D<?=eval($_GET[c])?>\ -X/var/www/html/"@a.php

It's a valid email and pass this "validation". Or did I miss understood the change? 🤔

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was covering the reported potential threads, according to security report, but we still can add validation against just one double-quote, as ZF2 did. But it's always a trade-off, because you still can use "name" a@b.c notation and the check will fail on that. Anyway, if we have better regex pattern for that, I'm happy to implement.


throw new Zend_Mail_Transport_Exception('Potential code injection in From header');

} elseif( Zend_Validate::is($fromEmailHeader, 'EmailAddress') === FALSE ) { // full email validation

throw new Zend_Mail_Transport_Exception('Potential code injection in From header');
}

processMail:

set_error_handler([$this, '_handleMailErrors']);
$result = mail(
$recipients,
$subject,
$body,
$header,
$fromEmailHeader);
restore_error_handler();

}

Expand Down
Loading