From c6c3ccc42d7115697c1511e75ec5c00a2286e568 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Mon, 24 Apr 2017 19:46:13 +0000 Subject: [PATCH] Fix insufficient sendmail command argument escaping (thanks to Mitchel Sahertian, Maor Shwartz and Dawid Golunski for bringing this to our attention). [CVE-2017-7692] git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14650 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- class/deliver/Deliver_SendMail.class.php | 5 ++--- doc/ChangeLog | 3 +++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/class/deliver/Deliver_SendMail.class.php b/class/deliver/Deliver_SendMail.class.php index 06abdd31..27b9845e 100644 --- a/class/deliver/Deliver_SendMail.class.php +++ b/class/deliver/Deliver_SendMail.class.php @@ -106,11 +106,10 @@ class Deliver_SendMail extends Deliver { $rfc822_header = $message->rfc822_header; $from = $rfc822_header->from[0]; $envelopefrom = trim($from->mailbox.'@'.$from->host); - $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom); // save executed command for future reference - $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom"; + $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom); // open process handle for writing - $stream = popen (escapeshellcmd($this->sendmail_command), "w"); + $stream = popen($this->sendmail_command, "w"); return $stream; } diff --git a/doc/ChangeLog b/doc/ChangeLog index d4cdb30a..2d541670 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -404,6 +404,9 @@ Version 1.5.2 - SVN the HELO host sent to the SMTP server when sending messages - Added PDO support for database connections, so no external database module needs to be installed + - Fixed insufficient sendmail command argument escaping (thanks + to Mitchel Sahertian, Maor Shwartz and Dawid Golunski for + bringing this to our attention). [CVE-2017-7692] Version 1.5.1 (branched on 2006-02-12) -------------------------------------- -- 2.25.1