Permalink
Browse files

MDL-31202 do not try sending emails to invalid addresses

The use of mtrace() in email_to_user() is most probably incorrect, I am going to use it only in CLI scripts (which includes cron). This should not be considered a security issue because we should be already validating emails when accepting them from untrusted users.
  • Loading branch information...
1 parent 7a79813 commit d23fd32be1da9ccdcdf0baf89579952bcb4a92b0 @skodak skodak committed with Sam Hemelryk Jan 21, 2012
Showing with 11 additions and 0 deletions.
  1. +11 −0 lib/moodlelib.php
View
@@ -4627,6 +4627,17 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml='', $a
return true;
}
+ if (!validate_email($user->email)) {
+ // we can not send emails to invalid addresses - it might create security issue or confuse the mailer
+ $invalidemail = "User $user->id (".fullname($user).") email ($user->email) is invalid! Not sending.";
+ error_log($invalidemail);
+ if (CLI_SCRIPT) {
+ // do not print this in standard web pages
+ mtrace($invalidemail);
+ }
+ return false;
+ }
+
if (over_bounce_threshold($user)) {
$bouncemsg = "User $user->id (".fullname($user).") is over bounce threshold! Not sending.";
error_log($bouncemsg);

0 comments on commit d23fd32

Please sign in to comment.