Browse files

MDL-31202 do not try sending emails to invalid addresses

The use of mtrace() in email_to_user() is most probably incorrect, I am going to use it only in CLI scripts (which includes cron). This should not be considered a security issue because we should be already validating emails when accepting them from untrusted users.
  • Loading branch information...
1 parent a141bd9 commit 5125c0e332c3090126df6804bdf56f606f272ecb @skodak skodak committed with Sam Hemelryk Jan 21, 2012
Showing with 11 additions and 0 deletions.
  1. +11 −0 lib/moodlelib.php
@@ -5024,6 +5024,17 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml='', $a
return true;
+ if (!validate_email($user->email)) {
+ // we can not send emails to invalid addresses - it might create security issue or confuse the mailer
+ $invalidemail = "User $user->id (".fullname($user).") email ($user->email) is invalid! Not sending.";
+ error_log($invalidemail);
+ if (CLI_SCRIPT) {
+ // do not print this in standard web pages
+ mtrace($invalidemail);
+ }
+ return false;
+ }
if (over_bounce_threshold($user)) {
$bouncemsg = "User $user->id (".fullname($user).") is over bounce threshold! Not sending.";

0 comments on commit 5125c0e

Please sign in to comment.