fix for security exploit described in bug #812690 reported by Neal Krawetz
authorstekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Thu, 25 Sep 2003 23:33:32 +0000 (23:33 +0000)
committerstekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Thu, 25 Sep 2003 23:33:32 +0000 (23:33 +0000)
(hackerfactor)

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@5774 7612ce4b-ef26-0410-bec9-ea0150e637f0

class/deliver/Deliver_SendMail.class.php

index 57b17ad..2f62a97 100644 (file)
@@ -23,7 +23,7 @@ class Deliver_SendMail extends Deliver {
     function initStream($message, $sendmail_path) {
         $rfc822_header = $message->rfc822_header;
        $from = $rfc822_header->from[0];
-       $envelopefrom = $from->mailbox.'@'.$from->host;
+       $envelopefrom = trim($from->mailbox.'@'.$from->host);
        if (strstr($sendmail_path, "qmail-inject")) {
            $stream = popen (escapeshellcmd("$sendmail_path -i -f$envelopefrom"), "w");
        } else {