From d2aba5a04ea17753eae7ab8b7ab049473147ff37 Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Sat, 10 Dec 2016 13:03:21 +0000 Subject: [PATCH] Escape return path extra params to php mail() PHP only escapes some dangerous shell characters. This is a hardening measure, as MW's sanitizeEmail routines should also have prevented evil characters from being in mail addresses in the first place. Bug: T152717 Change-Id: I3736d612ed40d257ee3dde8e98eb30ccf432670a --- includes/mail/UserMailer.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/includes/mail/UserMailer.php b/includes/mail/UserMailer.php index c8e9999a36..21effa0e02 100644 --- a/includes/mail/UserMailer.php +++ b/includes/mail/UserMailer.php @@ -268,7 +268,14 @@ class UserMailer { // Add the envelope sender address using the -f command line option when PHP mail() is used. // Will default to the $from->address when the UserMailerChangeReturnPath hook fails and the // generated VERP address when the hook runs effectively. - $extraParams .= ' -f ' . $returnPath; + + // PHP runs this through escapeshellcmd(). However that's not sufficient + // escaping (e.g. due to spaces). MediaWiki's email sanitizer should generally + // be good enough, but just in case, put in double quotes, and remove any + // double quotes present (" is not allowed in emails, so should have no + // effect, although this might cause apostrophees to be double escaped) + $returnPathCLI = '"' . str_replace( '"', '', $returnPath ) . '"'; + $extraParams .= ' -f ' . $returnPathCLI; $headers['Return-Path'] = $returnPath; -- 2.20.1