From: Brian Wolff Date: Sat, 10 Dec 2016 13:03:21 +0000 (+0000) Subject: Escape return path extra params to php mail() X-Git-Tag: 1.31.0-rc.0~4584^2 X-Git-Url: https://git.heureux-cyclage.org/?a=commitdiff_plain;h=d2aba5a04ea17753eae7ab8b7ab049473147ff37;p=lhc%2Fweb%2Fwiklou.git Escape return path extra params to php mail() PHP only escapes some dangerous shell characters. This is a hardening measure, as MW's sanitizeEmail routines should also have prevented evil characters from being in mail addresses in the first place. Bug: T152717 Change-Id: I3736d612ed40d257ee3dde8e98eb30ccf432670a --- diff --git a/includes/mail/UserMailer.php b/includes/mail/UserMailer.php index c8e9999a36..21effa0e02 100644 --- a/includes/mail/UserMailer.php +++ b/includes/mail/UserMailer.php @@ -268,7 +268,14 @@ class UserMailer { // Add the envelope sender address using the -f command line option when PHP mail() is used. // Will default to the $from->address when the UserMailerChangeReturnPath hook fails and the // generated VERP address when the hook runs effectively. - $extraParams .= ' -f ' . $returnPath; + + // PHP runs this through escapeshellcmd(). However that's not sufficient + // escaping (e.g. due to spaces). MediaWiki's email sanitizer should generally + // be good enough, but just in case, put in double quotes, and remove any + // double quotes present (" is not allowed in emails, so should have no + // effect, although this might cause apostrophees to be double escaped) + $returnPathCLI = '"' . str_replace( '"', '', $returnPath ) . '"'; + $extraParams .= ' -f ' . $returnPathCLI; $headers['Return-Path'] = $returnPath;