Permalink
Browse files

elofgren: Define 'EMAIL_BOUNCEHANDLER_KEY' in sapphire/_config.php an…

…d require its value to be sent as 'Key' $_GET var in pings to /Email_BounceHandler to prevent fake email bounce pings.

(merged from branches/gsoc)


git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@41977 467b73ca-7a2a-4603-9d3b-597d59a354a9
  • Loading branch information...
1 parent f54e9db commit 87a05354392c9016151534e26a1bb3e10b9e0d62 @chillu chillu committed Sep 16, 2007
Showing with 12 additions and 0 deletions.
  1. +6 −0 _config.php
  2. +6 −0 core/Email.php
View
@@ -81,5 +81,11 @@
*/
Security::set_password_encryption_algorithm('sha1', true);
+/**
+ * The secret key that needs to be sent along with pings to /Email_BounceHandler.
+ * Change this to something different for increase security.
+ * For more information see: http://doc.silverstripe.com/doku.php?id=email_bouncehandler
+ */
+define('EMAIL_BOUNCEHANDLER_KEY', '1aaaf8fb60ea253dbf6efa71baaacbb3');
?>
View
@@ -797,6 +797,12 @@ function index() {
return;
}
+ // Check against access key defined in sapphire/_config.php
+ if( !isset($_REQUEST['Key']) || $_REQUEST['Key'] != EMAIL_BOUNCEHANDLER_KEY) {
+ echo 'Error: Access validation failed. Invalid "Key" specified.';
+ return;
+ }
+
if( !$_REQUEST['Email'] ) {
echo "No email address";
return;

0 comments on commit 87a0535

Please sign in to comment.