Fix insufficient sendmail command argument escaping (thanks to Mitchel Sahertian...
authorpdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Mon, 24 Apr 2017 19:46:13 +0000 (19:46 +0000)
committerpdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Mon, 24 Apr 2017 19:46:13 +0000 (19:46 +0000)
git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14650 7612ce4b-ef26-0410-bec9-ea0150e637f0

class/deliver/Deliver_SendMail.class.php
doc/ChangeLog

index 06abdd3..27b9845 100644 (file)
@@ -106,11 +106,10 @@ class Deliver_SendMail extends Deliver {
         $rfc822_header = $message->rfc822_header;
         $from = $rfc822_header->from[0];
         $envelopefrom = trim($from->mailbox.'@'.$from->host);
-        $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
         // save executed command for future reference
-        $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
+        $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom);
         // open process handle for writing
-        $stream = popen (escapeshellcmd($this->sendmail_command), "w");
+        $stream = popen($this->sendmail_command, "w");
         return $stream;
     }
 
index d4cdb30..2d54167 100644 (file)
@@ -404,6 +404,9 @@ Version 1.5.2 - SVN
     the HELO host sent to the SMTP server when sending messages
   - Added PDO support for database connections, so no external
     database module needs to be installed
+  - Fixed insufficient sendmail command argument escaping (thanks
+    to Mitchel Sahertian, Maor Shwartz and Dawid Golunski for
+    bringing this to our attention). [CVE-2017-7692]
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------