Skip to content

Commit

Permalink
Merge pull request Shardj#366 from develart-projects/sendmailEmailHea…
Browse files Browse the repository at this point in the history
…derFix

sendmail header sanitization quick-fix, as described in Shardj#326
  • Loading branch information
develart-projects authored Aug 15, 2023
2 parents 1f5789a + 9bfa4a3 commit ec42481
Showing 1 changed file with 13 additions and 10 deletions.
23 changes: 13 additions & 10 deletions library/Zend/Mail/Transport/Sendmail.php
Original file line number Diff line number Diff line change
Expand Up @@ -136,18 +136,21 @@ public function _sendMail()
$fromEmailHeader = str_replace("\r\n", "\n", $fromEmailHeader);
}
// Sanitize the From header
if (!Zend_Validate::is($fromEmailHeader, 'EmailAddress')) {
// https://github.com/Shardj/zf1-future/issues/326
// this is just quick-fix, we need to agree on how to sanitize all potential params used as 5th param to mail()
if ( empty($fromEmailHeader) === FALSE && Zend_Validate::is($fromEmailHeader, 'EmailAddress') === FALSE) {
throw new Zend_Mail_Transport_Exception('Potential code injection in From header');
} else {
set_error_handler([$this, '_handleMailErrors']);
$result = mail(
$recipients,
$subject,
$body,
$header,
$fromEmailHeader);
restore_error_handler();
}

set_error_handler([$this, '_handleMailErrors']);
$result = mail(
$recipients,
$subject,
$body,
$header,
$fromEmailHeader);
restore_error_handler();

}

if ($this->_errstr !== null || !$result) {
Expand Down

0 comments on commit ec42481

Please sign in to comment.