diff options
author | lpsolit%gmail.com <> | 2007-08-23 20:46:56 +0000 |
---|---|---|
committer | lpsolit%gmail.com <> | 2007-08-23 20:46:56 +0000 |
commit | 2970d80a9abcad6b46d91f1aa65082827bbbf52e (patch) | |
tree | e39937216342912e87e0496fd1eee8ca91edd206 | |
parent | Bug 382056: [SECURITY] Bugzilla::Webservice::Bug->get_bugs() doesn't check if... (diff) | |
download | bugzilla-2970d80a9abcad6b46d91f1aa65082827bbbf52e.tar.gz bugzilla-2970d80a9abcad6b46d91f1aa65082827bbbf52e.tar.bz2 bugzilla-2970d80a9abcad6b46d91f1aa65082827bbbf52e.zip |
Bug 386860: [SECURITY] Insufficient escaping of From address when using Sendmail - Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r/a=LpSolit
-rw-r--r-- | Bugzilla/Mailer.pm | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/Bugzilla/Mailer.pm b/Bugzilla/Mailer.pm index b4b2f320d..03f370a4e 100644 --- a/Bugzilla/Mailer.pm +++ b/Bugzilla/Mailer.pm @@ -44,6 +44,7 @@ use Bugzilla::Util; use Date::Format qw(time2str); use Encode qw(encode); +use Email::Address; use Email::MIME; # Loading this gives us encoding_set. use Email::MIME::Modifier; @@ -80,7 +81,14 @@ sub MessageToMTA { $Email::Send::Sendmail::SENDMAIL = SENDMAIL_EXE; } push @args, "-i"; - push(@args, "-f$from") if $from; + # We want to make sure that we pass *only* an email address. + if ($from) { + my ($email_obj) = Email::Address->parse($from); + if ($email_obj) { + my $from_email = $email_obj->address; + push(@args, "-f$from_email") if $from_email; + } + } push(@args, "-ODeliveryMode=deferred") if !Bugzilla->params->{"sendmailnow"}; } |