* 'contentType' string default 'text/plain; charset=UTF-8'
* 'headers' array Extra headers to set
*
- * Previous versions of this function had $replyto as the 5th argument and $contentType
- * as the 6th. These are still supported for backwards compatability, but deprecated.
- *
* @throws MWException
* @throws Exception
* @return Status
public static function send( $to, $from, $subject, $body, $options = [] ) {
global $wgAllowHTMLEmail;
- if ( !is_array( $options ) ) {
- // Old calling style
- wfDeprecated( __METHOD__ . ' with $replyto as 5th parameter', '1.26' );
- $options = [ 'replyTo' => $options ];
- if ( func_num_args() === 6 ) {
- $options['contentType'] = func_get_arg( 5 );
- }
- }
if ( !isset( $options['contentType'] ) ) {
$options['contentType'] = 'text/plain; charset=UTF-8';
}
// Add the envelope sender address using the -f command line option when PHP mail() is used.
// Will default to the $from->address when the UserMailerChangeReturnPath hook fails and the
// generated VERP address when the hook runs effectively.
- $extraParams .= ' -f ' . $returnPath;
+
+ // PHP runs this through escapeshellcmd(). However that's not sufficient
+ // escaping (e.g. due to spaces). MediaWiki's email sanitizer should generally
+ // be good enough, but just in case, put in double quotes, and remove any
+ // double quotes present (" is not allowed in emails, so should have no
+ // effect, although this might cause apostrophees to be double escaped)
+ $returnPathCLI = '"' . str_replace( '"', '', $returnPath ) . '"';
+ $extraParams .= ' -f ' . $returnPathCLI;
$headers['Return-Path'] = $returnPath;
->getFullURL( '', false, PROTO_CANONICAL ) . '>';
// Line endings need to be different on Unix and Windows due to
- // the bug described at http://trac.wordpress.org/ticket/2603
+ // the bug described at https://core.trac.wordpress.org/ticket/2603
$endl = PHP_EOL;
if ( is_array( $body ) ) {