Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-31202 do not try sending emails to invalid addresses

The use of mtrace() in email_to_user() is most probably incorrect, I am going to use it only in CLI scripts (which includes cron). This should not be considered a security issue because we should be already validating emails when accepting them from untrusted users.
  • Loading branch information...
commit 5125c0e332c3090126df6804bdf56f606f272ecb 1 parent a141bd9
@skodak skodak authored samhemelryk committed
Showing with 11 additions and 0 deletions.
  1. +11 −0 lib/moodlelib.php
View
11 lib/moodlelib.php
@@ -5024,6 +5024,17 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml='', $a
return true;
}
+ if (!validate_email($user->email)) {
+ // we can not send emails to invalid addresses - it might create security issue or confuse the mailer
+ $invalidemail = "User $user->id (".fullname($user).") email ($user->email) is invalid! Not sending.";
+ error_log($invalidemail);
+ if (CLI_SCRIPT) {
+ // do not print this in standard web pages
+ mtrace($invalidemail);
+ }
+ return false;
+ }
+
if (over_bounce_threshold($user)) {
$bouncemsg = "User $user->id (".fullname($user).") is over bounce threshold! Not sending.";
error_log($bouncemsg);
Please sign in to comment.
Something went wrong with that request. Please try again.