An address that contains line-breaks can add arbitrary SMTP headers. In my mind, the reason for using an address object is to avoid having to deal with escaping odd names and addresses (like would be necessary with `${name} <${address}>`); therefore, it is expected that name and address don't have to be sanitized. Otherwise, it's not just an address object, but an "address plus maybe arbitrary headers," which is not something anyone would want to have. I'm not sure what other fields are vulnerable. This was discovered by @lol768.
The text was updated successfully, but these errors were encountered:
Please fill the following questionnaire about your issue:
I've got a pretty standard
sendMailcall here in an HTTP handler:An
addressthat contains line-breaks can add arbitrary SMTP headers. In my mind, the reason for using an address object is to avoid having to deal with escaping odd names and addresses (like would be necessary with`${name} <${address}>`); therefore, it is expected thatnameandaddressdon't have to be sanitized. Otherwise, it's not just an address object, but an "address plus maybe arbitrary headers," which is not something anyone would want to have. I'm not sure what other fields are vulnerable. This was discovered by @lol768.The text was updated successfully, but these errors were encountered: