chagenbu Wed Feb 7 12:56:02 2001 EDT
Modified files:
/php4/pear/Mail Sendmail.php
Log:
remove double quotes which may not be stripped by sendmail (causing
problems), and add checks for dangerous characters (in addition to the
pre-existing escapeShellCmd()) in the $from variable.
Index: php4/pear/Mail/Sendmail.php
diff -u php4/pear/Mail/Sendmail.php:1.1 php4/pear/Mail/Sendmail.php:1.2
--- php4/pear/Mail/Sendmail.php:1.1 Wed Feb 7 12:22:59 2001
+++ php4/pear/Mail/Sendmail.php Wed Feb 7 12:56:02 2001
@@ -79,12 +79,16 @@
list($from, $text_headers) = $this->prepareHeaders($headers);
if (!isset($from)) {
- return new PEAR_Error('No from address given');
+ return new PEAR_Error('No from address given.');
+ } elseif (strstr($from, ' ') ||
+ strstr($from, ';') ||
+ strstr($from, '&')) {
+ return new PEAR_Error('From address specified with dangerous
+characters.');
}
$result = 0;
if (@is_executable($this->sendmail_path)) {
- $from = '"' . escapeShellCmd($from) . '"';
+ $from = escapeShellCmd($from);
$mail = popen($this->sendmail_path . " -i -f$from -- $recipients", 'w');
fputs($mail, $text_headers);
fputs($mail, "\n"); // newline to end the headers section
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
