Skip to content

Commit

Permalink
further Zend Mail sendmail transport validation tweak
Browse files Browse the repository at this point in the history
  • Loading branch information
develart-projects committed Aug 24, 2023
1 parent 622a60b commit ca18b33
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 7 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [1.23.5] - 2023-08-24
### Fixed
- further Zend Mail sendmail transport validation tweak

## [1.23.4] - 2023-08-24
### Fixed
- corrected Zend Mail sendmail transport comparison
Expand Down
2 changes: 1 addition & 1 deletion composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "shardj/zf1-future",
"description": "Zend Framework 1. The aim is to keep ZF1 working with the latest PHP versions",
"type": "library",
"version": "1.23.4",
"version": "1.23.5",
"keywords": [
"framework",
"zf1"
Expand Down
14 changes: 9 additions & 5 deletions library/Zend/Mail/Transport/Sendmail.php
Original file line number Diff line number Diff line change
Expand Up @@ -143,13 +143,17 @@ public function _sendMail()
}

// now we use 2 different approaches, based ond the usage context
if( substr( $fromEmailHeader, 0, 2 ) === '-f' && substr_count($fromEmailHeader, '"') >2 ) { // we are considering just usage of double-quotes
if( substr( $fromEmailHeader, 0, 2 ) === '-f' ) {

throw new Zend_Mail_Transport_Exception('Potential code injection in From header');
if(substr_count($fromEmailHeader, '"') >2) { // we are considering just usage of double-quotes
throw new Zend_Mail_Transport_Exception('Potential code injection in From header');
}

} else { // full email validation

} elseif( Zend_Validate::is($fromEmailHeader, 'EmailAddress') === FALSE ) { // full email validation

throw new Zend_Mail_Transport_Exception('Potential code injection in From header');
if( Zend_Validate::is($fromEmailHeader, 'EmailAddress') === FALSE ) {
throw new Zend_Mail_Transport_Exception('Potential code injection in From header');
}
}

processMail:
Expand Down
2 changes: 1 addition & 1 deletion library/Zend/Version.php
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ final class Zend_Version
/**
* Zend Framework version identification - see compareVersion()
*/
const VERSION = '1.23.4';
const VERSION = '1.23.5';

/**
* The latest stable version Zend Framework available
Expand Down

0 comments on commit ca18b33

Please sign in to comment.