Skip to content
This repository was archived by the owner on Jan 30, 2020. It is now read-only.

Commit 7260c97

Browse files
ezimuelweierophinney
ezimuel
authored and
weierophinney
committed
Fixes ZF2016-04 vulnerability
Fixed sendmail remote code execution vulnerability.
1 parent 85c3802 commit 7260c97

File tree

2 files changed

+35
-0
lines changed

2 files changed

+35
-0
lines changed

src/Transport/Sendmail.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,16 @@ protected function prepareHeaders(Mail\Message $message)
225225
$headers = clone $message->getHeaders();
226226
$headers->removeHeader('To');
227227
$headers->removeHeader('Subject');
228+
229+
// Sanitize the From header
230+
$from = $headers->get('From');
231+
if ($from) {
232+
foreach ($from->getAddressList() as $address) {
233+
if (preg_match('/\\\"/', $address->getEmail())) {
234+
throw new Exception\RuntimeException('Potential code injection in From header');
235+
}
236+
}
237+
}
228238
return $headers->toString();
229239
}
230240

test/Transport/SendmailTest.php

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
namespace ZendTest\Mail\Transport;
1111

1212
use Zend\Mail\Message;
13+
use Zend\Mail\Transport\Exception\RuntimeException;
1314
use Zend\Mail\Transport\Sendmail;
1415

1516
/**
@@ -133,4 +134,28 @@ public function testAssertSubjectEncoded()
133134
$this->transport->send($message);
134135
$this->assertEquals('=?UTF-8?Q?Testing=20Zend\Mail\Transport\Sendmail?=', $this->subject);
135136
}
137+
138+
public function testCodeInjectionInFromHeader()
139+
{
140+
$message = $this->getMessage();
141+
$message->setBody('This is the text of the email.');
142+
$message->setFrom('"AAA\" code injection"@domain', 'Sender\'s name');
143+
$message->addTo('hacker@localhost', 'Name of recipient');
144+
$message->setSubject('TestSubject');
145+
146+
$this->setExpectedException(RuntimeException::class);
147+
$this->transport->send($message);
148+
}
149+
150+
public function testValidEmailLocaDomainInFromHeader()
151+
{
152+
$message = $this->getMessage();
153+
$message->setBody('This is the text of the email.');
154+
$message->setFrom('"foo-bar"@domain', 'Foo Bar');
155+
$message->addTo('hacker@localhost', 'Name of recipient');
156+
$message->setSubject('TestSubject');
157+
158+
$this->transport->send($message);
159+
$this->assertContains('From: Foo Bar <"foo-bar"@domain>', $this->additional_headers);
160+
}
136161
}

0 commit comments

Comments
 (0)