MDL-31202 do not try sending emails to invalid addresses

The use of mtrace() in email_to_user() is most probably incorrect, I am going to use it only in CLI scripts (which includes cron). This should not be considered a security issue because we should be already validating emails when accepting them from untrusted users.
moodle · Jan 21, 2012 · 1c199e2 · 1c199e2
1 parent f6b4ec2
commit 1c199e2
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/lib/moodlelib.php b/lib/moodlelib.php
@@ -5028,6 +5028,17 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml='', $a
         return true;
     }
 
+    if (!validate_email($user->email)) {
+        // we can not send emails to invalid addresses - it might create security issue or confuse the mailer
+        $invalidemail = "User $user->id (".fullname($user).") email ($user->email) is invalid! Not sending.";
+        error_log($invalidemail);
+        if (CLI_SCRIPT) {
+            // do not print this in standard web pages
+            mtrace($invalidemail);
+        }
+        return false;
+    }
+
     if (over_bounce_threshold($user)) {
         $bouncemsg = "User $user->id (".fullname($user).") is over bounce threshold! Not sending.";
         error_log($bouncemsg);