X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fmail%2FUserMailer.php;h=3858f27566ef90d3b936b9340aaa1fe7573d6e6d;hb=cbac334f116c6546c422a67ce99d2a56eb792d30;hp=c8e9999a3665eb7999a027f195f42f702130beee;hpb=2c0db8f5e8593a51ae0acc8285fd40b7743b0fce;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/mail/UserMailer.php b/includes/mail/UserMailer.php
index c8e9999a36..3858f27566 100644
--- a/includes/mail/UserMailer.php
+++ b/includes/mail/UserMailer.php
@@ -103,9 +103,9 @@ class UserMailer {
 	 * @param string $subject Email's subject.
 	 * @param string $body Email's text or Array of two strings to be the text and html bodies
 	 * @param array $options:
-	 * 		'replyTo' MailAddress
-	 * 		'contentType' string default 'text/plain; charset=UTF-8'
-	 * 		'headers' array Extra headers to set
+	 *     'replyTo' MailAddress
+	 *     'contentType' string default 'text/plain; charset=UTF-8'
+	 *     'headers' array Extra headers to set
 	 *
 	 * @throws MWException
 	 * @throws Exception
@@ -197,9 +197,9 @@ class UserMailer {
 	 * @param string $subject Email's subject.
 	 * @param string $body Email's text or Array of two strings to be the text and html bodies
 	 * @param array $options:
-	 * 		'replyTo' MailAddress
-	 * 		'contentType' string default 'text/plain; charset=UTF-8'
-	 * 		'headers' array Extra headers to set
+	 *     'replyTo' MailAddress
+	 *     'contentType' string default 'text/plain; charset=UTF-8'
+	 *     'headers' array Extra headers to set
 	 *
 	 * @throws MWException
 	 * @throws Exception
@@ -268,7 +268,14 @@ class UserMailer {
 		// Add the envelope sender address using the -f command line option when PHP mail() is used.
 		// Will default to the $from->address when the UserMailerChangeReturnPath hook fails and the
 		// generated VERP address when the hook runs effectively.
-		$extraParams .= ' -f ' . $returnPath;
+
+		// PHP runs this through escapeshellcmd(). However that's not sufficient
+		// escaping (e.g. due to spaces). MediaWiki's email sanitizer should generally
+		// be good enough, but just in case, put in double quotes, and remove any
+		// double quotes present (" is not allowed in emails, so should have no
+		// effect, although this might cause apostrophees to be double escaped)
+		$returnPathCLI = '"' . str_replace( '"', '', $returnPath ) . '"';
+		$extraParams .= ' -f ' . $returnPathCLI;
 
 		$headers['Return-Path'] = $returnPath;