From: pallo <pallo@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Tue, 19 Sep 2000 08:22:44 +0000 (+0000)
Subject: Small security patch: Make sure that the envelope sender address doesn't
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=6ebf8b305f3551fd9e5a6f9b5643bf0b5356fe04;hp=3e1266efa28fa69f07653f83464482b49688b2a4;p=squirrelmail.git

Small security patch: Make sure that the envelope sender address doesn't
contain any spaces or other chars that could be used in an expolit.


git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@746 7612ce4b-ef26-0410-bec9-ea0150e637f0
---

diff --git a/functions/smtp.php b/functions/smtp.php
index f8c3fdbb..ef8684da 100644
--- a/functions/smtp.php
+++ b/functions/smtp.php
@@ -254,8 +254,16 @@
    function sendSendmail($t, $c, $b, $subject, $body, $more_headers) {
       global $sendmail_path, $username, $domain;
 
+      // Build envelope sender address. Make sure it doesn't contain 
+      // spaces or other "weird" chars that would allow a user to
+      // exploit the shell/pipe it is used in.
+      $envelopefrom = "$username@$domain";
+      $envelopefrom = ereg_replace("[[:blank:]]","", $envelopefrom);
+      $envelopefrom = ereg_replace("[[:space:]]","", $envelopefrom);
+      $envelopefrom = ereg_replace("[[:cntrl:]]","", $envelopefrom);
+
       // open pipe to sendmail
-      $fp = popen (escapeshellcmd("$sendmail_path -t -f$username@$domain"), "w");
+      $fp = popen (escapeshellcmd("$sendmail_path -t -f$envelopefrom"), "w");
       
       $headerlength = write822Header ($fp, $t, $c, $b, $subject, $more_headers);
       $bodylength = writeBody($fp, $body);