aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2007-08-23 20:46:56 +0000
committerlpsolit%gmail.com <>2007-08-23 20:46:56 +0000
commit2970d80a9abcad6b46d91f1aa65082827bbbf52e (patch)
treee39937216342912e87e0496fd1eee8ca91edd206
parentBug 382056: [SECURITY] Bugzilla::Webservice::Bug->get_bugs() doesn't check if... (diff)
downloadbugzilla-2970d80a9abcad6b46d91f1aa65082827bbbf52e.tar.gz
bugzilla-2970d80a9abcad6b46d91f1aa65082827bbbf52e.tar.bz2
bugzilla-2970d80a9abcad6b46d91f1aa65082827bbbf52e.zip
Bug 386860: [SECURITY] Insufficient escaping of From address when using Sendmail - Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r/a=LpSolit
-rw-r--r--Bugzilla/Mailer.pm10
1 files changed, 9 insertions, 1 deletions
diff --git a/Bugzilla/Mailer.pm b/Bugzilla/Mailer.pm
index b4b2f320d..03f370a4e 100644
--- a/Bugzilla/Mailer.pm
+++ b/Bugzilla/Mailer.pm
@@ -44,6 +44,7 @@ use Bugzilla::Util;
use Date::Format qw(time2str);
use Encode qw(encode);
+use Email::Address;
use Email::MIME;
# Loading this gives us encoding_set.
use Email::MIME::Modifier;
@@ -80,7 +81,14 @@ sub MessageToMTA {
$Email::Send::Sendmail::SENDMAIL = SENDMAIL_EXE;
}
push @args, "-i";
- push(@args, "-f$from") if $from;
+ # We want to make sure that we pass *only* an email address.
+ if ($from) {
+ my ($email_obj) = Email::Address->parse($from);
+ if ($email_obj) {
+ my $from_email = $email_obj->address;
+ push(@args, "-f$from_email") if $from_email;
+ }
+ }
push(@args, "-ODeliveryMode=deferred")
if !Bugzilla->params->{"sendmailnow"};
}