Skip to content
This repository has been archived by the owner on Jan 8, 2020. It is now read-only.

Commit

Permalink
Fixes ZF2016-04 vulnerability
Browse files Browse the repository at this point in the history 
Fixed sendmail remote code execution vulnerability.
  • Loading branch information
@ezimuel @weierophinney
ezimuel authored and weierophinney committed Dec 19, 2016
1 parent 7e5bdc3 commit 7c1e898
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 0 deletions.
11 changes: 11 additions & 0 deletions library/Zend/Mail/Transport/Sendmail.php
View file
Expand Up @@ -14,6 +14,7 @@
use Zend\Mail\Address\AddressInterface;
use Zend\Mail\Exception;
use Zend\Mail\Header\HeaderInterface;
use Zend\Mail\Transport\Exception\RuntimeException;

/**
* Class for sending email via the PHP internal mail() function
Expand Down Expand Up @@ -226,6 +227,16 @@ protected function prepareHeaders(Mail\Message $message)
$headers = clone $message->getHeaders();
$headers->removeHeader('To');
$headers->removeHeader('Subject');

// Sanitize the From header
$from = $headers->get('From');
if ($from) {
foreach ($from->getAddressList() as $address) {
if (preg_match('/\\\"/', $address->getEmail())) {
throw new RuntimeException('Potential code injection in From header');
}
}
}
return $headers->toString();
}

Expand Down
25 changes: 25 additions & 0 deletions tests/ZendTest/Mail/Transport/SendmailTest.php
View file
Expand Up @@ -10,6 +10,7 @@
namespace ZendTest\Mail\Transport;

use Zend\Mail\Message;
use Zend\Mail\Transport\Exception\RuntimeException;
use Zend\Mail\Transport\Sendmail;

/**
Expand Down Expand Up @@ -128,4 +129,28 @@ public function testAssertSubjectEncoded()
$this->transport->send($message);
$this->assertEquals('=?UTF-8?Q?Testing=20Zend\Mail\Transport\Sendmail?=', $this->subject);
}

public function testCodeInjectionInFromHeader()
{
$message = $this->getMessage();
$message->setBody('This is the text of the email.');
$message->setFrom('"AAA\" code injection"@domain', 'Sender\'s name');
$message->addTo('hacker@localhost', 'Name of recipient');
$message->setSubject('TestSubject');

$this->setExpectedException(RuntimeException::class);
$this->transport->send($message);
}

public function testValidEmailLocaDomainInFromHeader()
{
$message = $this->getMessage();
$message->setBody('This is the text of the email.');
$message->setFrom('"foo-bar"@domain', 'Foo Bar');
$message->addTo('hacker@localhost', 'Name of recipient');
$message->setSubject('TestSubject');

$this->transport->send($message);
$this->assertContains('From: Foo Bar <"foo-bar"@domain>', $this->additional_headers);
}
}

0 comments on commit 7c1e898

Please sign in to comment.