Skip to content
This repository has been archived by the owner on Jan 30, 2020. It is now read-only.

Commit

Permalink
Merge branch 'security/zf2016-04'
Browse files Browse the repository at this point in the history 
Fixes ZF2016-04
  • Loading branch information
@weierophinney
weierophinney committed Dec 19, 2016
2 parents 85c3802 + 7260c97 commit 8d18478
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 0 deletions.
10 changes: 10 additions & 0 deletions src/Transport/Sendmail.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,16 @@ protected function prepareHeaders(Mail\Message $message)
$headers = clone $message->getHeaders();
$headers->removeHeader('To');
$headers->removeHeader('Subject');

// Sanitize the From header
$from = $headers->get('From');
if ($from) {
foreach ($from->getAddressList() as $address) {
if (preg_match('/\\\"/', $address->getEmail())) {

This comment has been minimized.

Sign in to view

Copy link
@glensc

glensc Apr 3, 2017

Contributor

you don't really need regexp parsing for matching fixed string. http://php.net/strstr or http://php.net/strpos can do.

This comment has been minimized.

Sign in to view

Copy link
@Ocramius

Ocramius Apr 3, 2017

Member

@glensc send a PR

This comment has been minimized.

Sign in to view

Copy link
@glensc

glensc Apr 4, 2017

Contributor

sent: #134
throw new Exception\RuntimeException('Potential code injection in From header');
}
}
}
return $headers->toString();
}

Expand Down
25 changes: 25 additions & 0 deletions test/Transport/SendmailTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
namespace ZendTest\Mail\Transport;

use Zend\Mail\Message;
use Zend\Mail\Transport\Exception\RuntimeException;
use Zend\Mail\Transport\Sendmail;

/**
Expand Down Expand Up @@ -133,4 +134,28 @@ public function testAssertSubjectEncoded()
$this->transport->send($message);
$this->assertEquals('=?UTF-8?Q?Testing=20Zend\Mail\Transport\Sendmail?=', $this->subject);
}

public function testCodeInjectionInFromHeader()
{
$message = $this->getMessage();
$message->setBody('This is the text of the email.');
$message->setFrom('"AAA\" code injection"@domain', 'Sender\'s name');
$message->addTo('hacker@localhost', 'Name of recipient');
$message->setSubject('TestSubject');

$this->setExpectedException(RuntimeException::class);
$this->transport->send($message);
}

public function testValidEmailLocaDomainInFromHeader()
{
$message = $this->getMessage();
$message->setBody('This is the text of the email.');
$message->setFrom('"foo-bar"@domain', 'Foo Bar');
$message->addTo('hacker@localhost', 'Name of recipient');
$message->setSubject('TestSubject');

$this->transport->send($message);
$this->assertContains('From: Foo Bar <"foo-bar"@domain>', $this->additional_headers);
}
}

0 comments on commit 8d18478

Please sign in to comment.