X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FUserMailer.php;h=e1d00d33f8911a28d3c5f02ea19026ac24367d7d;hb=9f38f56fb5aff2c39981bb8c51d2e99c42d65215;hp=6157f78122061eda6faa734cade05706d3ee62f5;hpb=58545c56be35ff3c5de8ef3a70fdef7e2dd738fc;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/UserMailer.php b/includes/UserMailer.php index 6157f78122..e1d00d33f8 100644 --- a/includes/UserMailer.php +++ b/includes/UserMailer.php @@ -120,6 +120,8 @@ class UserMailer { static function arrayToHeaderString( $headers, $endl = "\n" ) { $strings = array(); foreach ( $headers as $name => $value ) { + // Prevent header injection by stripping newlines from value + $value = self::sanitizeHeaderValue( $value ); $strings[] = "$name: $value"; } return implode( $endl, $strings ); @@ -393,13 +395,25 @@ class UserMailer { self::$mErrorString = preg_replace( '/^mail\(\)(\s*\[.*?\])?: /', '', $string ); } + /** + * Strips bad characters from a header value to prevent PHP mail header injection attacks + * @param string $val String to be santizied + * @return string + */ + public static function sanitizeHeaderValue( $val ) { + return strtr( $val, array( "\r" => '', "\n" => '' ) ); + } + /** * Converts a string into a valid RFC 822 "phrase", such as is used for the sender name * @param $phrase string * @return string */ public static function rfc822Phrase( $phrase ) { - $phrase = strtr( $phrase, array( "\r" => '', "\n" => '', '"' => '' ) ); + // Remove line breaks + $phrase = self::sanitizeHeaderValue( $phrase ); + // Remove quotes + $phrase = str_replace( '"', '', $phrase ); return '"' . $phrase . '"'; } @@ -630,11 +644,11 @@ class EmailNotification { // Send updates to watchers other than the current editor $userArray = UserArray::newFromIDs( $watchers ); foreach ( $userArray as $watchingUser ) { - if ( $watchingUser->getOption( 'enotifwatchlistpages' ) && - ( !$minorEdit || $watchingUser->getOption( 'enotifminoredits' ) ) && - $watchingUser->isEmailConfirmed() && - $watchingUser->getID() != $userTalkId ) - { + if ( $watchingUser->getOption( 'enotifwatchlistpages' ) + && ( !$minorEdit || $watchingUser->getOption( 'enotifminoredits' ) ) + && $watchingUser->isEmailConfirmed() + && $watchingUser->getID() != $userTalkId + ) { $this->compose( $watchingUser ); } } @@ -672,9 +686,9 @@ class EmailNotification { wfDebug( __METHOD__ . ": user talk page edited, but user does not exist\n" ); } elseif ( $targetUser->getId() == $editor->getId() ) { wfDebug( __METHOD__ . ": user edited their own talk page, no notification sent\n" ); - } elseif ( $targetUser->getOption( 'enotifusertalkpages' ) && - ( !$minorEdit || $targetUser->getOption( 'enotifminoredits' ) ) ) - { + } elseif ( $targetUser->getOption( 'enotifusertalkpages' ) + && ( !$minorEdit || $targetUser->getOption( 'enotifminoredits' ) ) + ) { if ( !$targetUser->isEmailConfirmed() ) { wfDebug( __METHOD__ . ": talk page owner doesn't have validated email\n" ); } elseif ( !wfRunHooks( 'AbortTalkPageEmailNotification', array( $targetUser, $title ) ) ) { @@ -694,7 +708,7 @@ class EmailNotification { * Generate the generic "this page has been changed" e-mail text. */ private function composeCommonMailtext() { - global $wgPasswordSender, $wgPasswordSenderName, $wgNoReplyAddress; + global $wgPasswordSender, $wgNoReplyAddress; global $wgEnotifFromEditor, $wgEnotifRevealEditorAddress; global $wgEnotifImpersonal, $wgEnotifUseRealName; @@ -779,11 +793,12 @@ class EmailNotification { # Reveal the page editor's address as REPLY-TO address only if # the user has not opted-out and the option is enabled at the # global configuration level. - $adminAddress = new MailAddress( $wgPasswordSender, $wgPasswordSenderName ); + $adminAddress = new MailAddress( $wgPasswordSender, + wfMessage( 'emailsender' )->inContentLanguage()->text() ); if ( $wgEnotifRevealEditorAddress && ( $this->editor->getEmail() != '' ) - && $this->editor->getOption( 'enotifrevealaddr' ) ) - { + && $this->editor->getOption( 'enotifrevealaddr' ) + ) { $editorAddress = new MailAddress( $this->editor ); if ( $wgEnotifFromEditor ) { $this->from = $editorAddress;