From 7260c9768bf27c84f994c48698493fd1fa62fca3 Mon Sep 17 00:00:00 2001
From: Enrico Zimuel <e.zimuel@gmail.com>
Date: Mon, 19 Dec 2016 16:29:03 +0100
Subject: [PATCH] Fixes ZF2016-04 vulnerability

Fixed sendmail remote code execution vulnerability.
---
 src/Transport/Sendmail.php      | 10 ++++++++++
 test/Transport/SendmailTest.php | 25 +++++++++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/src/Transport/Sendmail.php b/src/Transport/Sendmail.php
index 604f7fb3..49203c81 100644
--- a/src/Transport/Sendmail.php
+++ b/src/Transport/Sendmail.php
@@ -225,6 +225,16 @@ protected function prepareHeaders(Mail\Message $message)
         $headers = clone $message->getHeaders();
         $headers->removeHeader('To');
         $headers->removeHeader('Subject');
+
+        // Sanitize the From header
+        $from = $headers->get('From');
+        if ($from) {
+            foreach ($from->getAddressList() as $address) {
+                if (preg_match('/\\\"/', $address->getEmail())) {
+                    throw new Exception\RuntimeException('Potential code injection in From header');
+                }
+            }
+        }
         return $headers->toString();
     }
 
diff --git a/test/Transport/SendmailTest.php b/test/Transport/SendmailTest.php
index d1f88f9f..c1ad5518 100644
--- a/test/Transport/SendmailTest.php
+++ b/test/Transport/SendmailTest.php
@@ -10,6 +10,7 @@
 namespace ZendTest\Mail\Transport;
 
 use Zend\Mail\Message;
+use Zend\Mail\Transport\Exception\RuntimeException;
 use Zend\Mail\Transport\Sendmail;
 
 /**
@@ -133,4 +134,28 @@ public function testAssertSubjectEncoded()
         $this->transport->send($message);
         $this->assertEquals('=?UTF-8?Q?Testing=20Zend\Mail\Transport\Sendmail?=', $this->subject);
     }
+
+    public function testCodeInjectionInFromHeader()
+    {
+        $message = $this->getMessage();
+        $message->setBody('This is the text of the email.');
+        $message->setFrom('"AAA\" code injection"@domain', 'Sender\'s name');
+        $message->addTo('hacker@localhost', 'Name of recipient');
+        $message->setSubject('TestSubject');
+
+        $this->setExpectedException(RuntimeException::class);
+        $this->transport->send($message);
+    }
+
+    public function testValidEmailLocaDomainInFromHeader()
+    {
+        $message = $this->getMessage();
+        $message->setBody('This is the text of the email.');
+        $message->setFrom('"foo-bar"@domain', 'Foo Bar');
+        $message->addTo('hacker@localhost', 'Name of recipient');
+        $message->setSubject('TestSubject');
+
+        $this->transport->send($message);
+        $this->assertContains('From: Foo Bar <"foo-bar"@domain>', $this->additional_headers);
+    }
 }