- function sendSendmail($t, $c, $b, $subject, $body) {
- global $sendmail_path, $username, $domain;
+ function sendSendmail($t, $c, $b, $subject, $body, $more_headers) {
+ global $sendmail_path, $popuser, $username, $domain;
+
+ // Build envelope sender address. Make sure it doesn't contain
+ // spaces or other "weird" chars that would allow a user to
+ // exploit the shell/pipe it is used in.
+ $envelopefrom = "$popuser@$domain";
+ $envelopefrom = ereg_replace("[[:blank:]]",'', $envelopefrom);
+ $envelopefrom = ereg_replace("[[:space:]]",'', $envelopefrom);
+ $envelopefrom = ereg_replace("[[:cntrl:]]",'', $envelopefrom);