addressed 5th sendmail param validation using -f (#326) #371
Conversation
| $fromEmailHeader); | ||
| restore_error_handler(); | ||
| // now we use 2 different approaches, based ond the usage context | ||
| if( substr( $fromEmailHeader, 0, 2 ) === '-f' && substr_count($fromEmailHeader, '"') >2 ) { // we are considering just usage of double-quotes |
There was a problem hiding this comment.
This check makes no sense to me, since we are checking to see if it is a mailing address anyway, how does that help?
There was a problem hiding this comment.
@voku read the full context please. There is possibility to use -f param, but that does not pass Zend Validation, there was open issue for that (mentioned above).
There was a problem hiding this comment.
Ok, but what if someone use e.g. -f'a."'\ -OQueueDirectory=\%0D<?=eval($_GET[c])?>\ -X/var/www/html/"@a.php
It's a valid email and pass this "validation". Or did I miss understood the change? 🤔
There was a problem hiding this comment.
I was covering the reported potential threads, according to security report, but we still can add validation against just one double-quote, as ZF2 did. But it's always a trade-off, because you still can use "name" [email protected] notation and the check will fail on that. Anyway, if we have better regex pattern for that, I'm happy to implement.
Current validation setup does not allow to use -f param in the mail() 5th param, blocking some implementations. New check is excluding potential threads for this type of param.