projects / squirrelmail.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Updated SVG handling, gracefully fix broken base64-encoded messages, also close XSS...
[squirrelmail.git] / class / deliver / Deliver_SendMail.class.php
diff --git a/class/deliver/Deliver_SendMail.class.php b/class/deliver/Deliver_SendMail.class.php
index 06abdd3173e0c5df2b382a7bd370272c71429363..06747541a0c7e3c45fbc9e8eccf539e532273a46 100644 (file)
--- a/class/deliver/Deliver_SendMail.class.php
+++ b/class/deliver/Deliver_SendMail.class.php
@@ -6,7 +6,7 @@
  * Delivery backend for the Deliver class.
  *
  * @author Marc Groot Koerkamp
- * @copyright 1999-2017 The SquirrelMail Project Team
+ * @copyright 1999-2019 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -106,11 +106,10 @@ class Deliver_SendMail extends Deliver {
         $rfc822_header = $message->rfc822_header;
         $from = $rfc822_header->from[0];
         $envelopefrom = trim($from->mailbox.'@'.$from->host);
-        $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
         // save executed command for future reference
-        $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
+        $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom);
         // open process handle for writing
-        $stream = popen (escapeshellcmd($this->sendmail_command), "w");
+        $stream = popen($this->sendmail_command, "w");
         return $stream;
     }
 
Unnamed repository; edit this file 'description' to name the repository.