oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added check for malicious mail headers

Browse source
This commit is contained in:
Len Kranendonk 2003-11-16 19:26:06 +00:00
parent e5198a9dc6
commit ad774fa69a
2 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/changelog/5.x.x.txt
View file

@ -23,6 +23,7 @@
- Fixed bug [ 838091 ] Read-Only Forum User Cannot Subscribe - Fixed bug [ 838091 ] Read-Only Forum User Cannot Subscribe
- Fixed bug [ 839524 ] Editing forum settings defaults all template names - Fixed bug [ 839524 ] Editing forum settings defaults all template names
- Fixed bug [ 841194 ] denied post security problem - Fixed bug [ 841194 ] denied post security problem
- Added a check for malicious mail headers
5.5.0 5.5.0

8
lib/WebGUI/Mail.pm
View file

@ -80,6 +80,14 @@ The email address for the BCC line.
sub send { sub send {
my ($smtp, $message, $from, $footer); my ($smtp, $message, $from, $footer);
foreach my $option (\$_[0], \$_[1], \$_[3], \$_[4], \$_[5]) {
if(${$option}) {
if (${$option} =~ /(?:From|To|Date|X-Mailer|Subject|Received|Message-Id)\s*:/is) {
use WebGUI::ErrorHandler;
return WebGUI::ErrorHandler::security("pass a malicious value to the mail header.");
}
}
}
$from = $_[4] || $session{setting}{companyEmail}; $from = $_[4] || $session{setting}{companyEmail};
#header #header
$message = "To: $_[0]\n"; $message = "To: $_[0]\n";