static function arrayToHeaderString( $headers, $endl = "\n" ) {
$strings = array();
foreach ( $headers as $name => $value ) {
+ // Prevent header injection by stripping newlines from value
+ $value = self::sanitizeHeaderValue( $value );
$strings[] = "$name: $value";
}
return implode( $endl, $strings );
self::$mErrorString = preg_replace( '/^mail\(\)(\s*\[.*?\])?: /', '', $string );
}
+ /**
+ * Strips bad characters from a header value to prevent PHP mail header injection attacks
+ * @param string $val String to be santizied
+ * @return string
+ */
+ public static function sanitizeHeaderValue( $val ) {
+ return strtr( $val, array( "\r" => '', "\n" => '' ) );
+ }
+
/**
* Converts a string into a valid RFC 822 "phrase", such as is used for the sender name
* @param $phrase string
* @return string
*/
public static function rfc822Phrase( $phrase ) {
- $phrase = strtr( $phrase, array( "\r" => '', "\n" => '', '"' => '' ) );
+ // Remove line breaks
+ $phrase = self::sanitizeHeaderValue( $phrase );
+ // Remove quotes
+ $phrase = str_replace( '"', '', $phrase );
return '"' . $phrase . '"';
}
// Send updates to watchers other than the current editor
$userArray = UserArray::newFromIDs( $watchers );
foreach ( $userArray as $watchingUser ) {
- if ( $watchingUser->getOption( 'enotifwatchlistpages' ) &&
- ( !$minorEdit || $watchingUser->getOption( 'enotifminoredits' ) ) &&
- $watchingUser->isEmailConfirmed() &&
- $watchingUser->getID() != $userTalkId )
- {
+ if ( $watchingUser->getOption( 'enotifwatchlistpages' )
+ && ( !$minorEdit || $watchingUser->getOption( 'enotifminoredits' ) )
+ && $watchingUser->isEmailConfirmed()
+ && $watchingUser->getID() != $userTalkId
+ ) {
$this->compose( $watchingUser );
}
}
wfDebug( __METHOD__ . ": user talk page edited, but user does not exist\n" );
} elseif ( $targetUser->getId() == $editor->getId() ) {
wfDebug( __METHOD__ . ": user edited their own talk page, no notification sent\n" );
- } elseif ( $targetUser->getOption( 'enotifusertalkpages' ) &&
- ( !$minorEdit || $targetUser->getOption( 'enotifminoredits' ) ) )
- {
+ } elseif ( $targetUser->getOption( 'enotifusertalkpages' )
+ && ( !$minorEdit || $targetUser->getOption( 'enotifminoredits' ) )
+ ) {
if ( !$targetUser->isEmailConfirmed() ) {
wfDebug( __METHOD__ . ": talk page owner doesn't have validated email\n" );
} elseif ( !wfRunHooks( 'AbortTalkPageEmailNotification', array( $targetUser, $title ) ) ) {
* Generate the generic "this page has been changed" e-mail text.
*/
private function composeCommonMailtext() {
- global $wgPasswordSender, $wgPasswordSenderName, $wgNoReplyAddress;
+ global $wgPasswordSender, $wgNoReplyAddress;
global $wgEnotifFromEditor, $wgEnotifRevealEditorAddress;
global $wgEnotifImpersonal, $wgEnotifUseRealName;
# Reveal the page editor's address as REPLY-TO address only if
# the user has not opted-out and the option is enabled at the
# global configuration level.
- $adminAddress = new MailAddress( $wgPasswordSender, $wgPasswordSenderName );
+ $adminAddress = new MailAddress( $wgPasswordSender,
+ wfMessage( 'emailsender' )->inContentLanguage()->text() );
if ( $wgEnotifRevealEditorAddress
&& ( $this->editor->getEmail() != '' )
- && $this->editor->getOption( 'enotifrevealaddr' ) )
- {
+ && $this->editor->getOption( 'enotifrevealaddr' )
+ ) {
$editorAddress = new MailAddress( $this->editor );
if ( $wgEnotifFromEditor ) {
$this->from = $editorAddress;
dépôts / lhc / web / wiklou.git / blobdiff