static function arrayToHeaderString( $headers, $endl = "\n" ) {
$strings = array();
foreach ( $headers as $name => $value ) {
+ // Prevent header injection by stripping newlines from value
+ $value = self::sanitizeHeaderValue( $value );
$strings[] = "$name: $value";
}
return implode( $endl, $strings );
wfDebug( "PEAR Mail_Mime package is not installed. Falling back to text email.\n" );
// remove the html body for text email fall back
$body = $body['text'];
- }
- else {
+ } else {
require_once 'Mail/mime.php';
if ( wfIsWindows() ) {
$body['text'] = str_replace( "\n", "\r\n", $body['text'] );
$headers = $mime->headers( $headers );
}
}
- if ( !isset( $mime ) ) {
+ if ( $mime === null ) {
// sending text only, either deliberately or as a fallback
if ( wfIsWindows() ) {
$body = str_replace( "\n", "\r\n", $body );
self::$mErrorString = preg_replace( '/^mail\(\)(\s*\[.*?\])?: /', '', $string );
}
+ /**
+ * Strips bad characters from a header value to prevent PHP mail header injection attacks
+ * @param string $val String to be santizied
+ * @return string
+ */
+ public static function sanitizeHeaderValue( $val ) {
+ return strtr( $val, array( "\r" => '', "\n" => '' ) );
+ }
+
/**
* Converts a string into a valid RFC 822 "phrase", such as is used for the sender name
* @param $phrase string
* @return string
*/
public static function rfc822Phrase( $phrase ) {
- $phrase = strtr( $phrase, array( "\r" => '', "\n" => '', '"' => '' ) );
+ // Remove line breaks
+ $phrase = self::sanitizeHeaderValue( $phrase );
+ // Remove quotes
+ $phrase = str_replace( '"', '', $phrase );
return '"' . $phrase . '"';
}
&& $watchingUser->isEmailConfirmed()
&& $watchingUser->getID() != $userTalkId
) {
- $this->compose( $watchingUser );
+ if ( wfRunHooks( 'SendWatchlistEmailNotification', array( $watchingUser, $title, $this ) ) ) {
+ $this->compose( $watchingUser );
+ }
}
}
}
* Generate the generic "this page has been changed" e-mail text.
*/
private function composeCommonMailtext() {
- global $wgPasswordSender, $wgPasswordSenderName, $wgNoReplyAddress;
+ global $wgPasswordSender, $wgNoReplyAddress;
global $wgEnotifFromEditor, $wgEnotifRevealEditorAddress;
global $wgEnotifImpersonal, $wgEnotifUseRealName;
# Reveal the page editor's address as REPLY-TO address only if
# the user has not opted-out and the option is enabled at the
# global configuration level.
- $adminAddress = new MailAddress( $wgPasswordSender, $wgPasswordSenderName );
+ $adminAddress = new MailAddress( $wgPasswordSender,
+ wfMessage( 'emailsender' )->inContentLanguage()->text() );
if ( $wgEnotifRevealEditorAddress
&& ( $this->editor->getEmail() != '' )
&& $this->editor->getOption( 'enotifrevealaddr' )
dépôts / lhc / web / wiklou.git / blobdiff