Merge pull request zendframework#140 from paragonie-scott/patch-2

Always escape shell arguments before mail()

src/Transport/Sendmail.php

@@ -257,15 +257,15 @@ protected function prepareParameters(Mail\Message $message)
 
         $sender = $message->getSender();
         if ($sender instanceof AddressInterface) {
-            $parameters .= ' -f' . $sender->getEmail();
+            $parameters .= ' -f' . \escapeshellarg($sender->getEmail());
             return $parameters;
         }
 
         $from = $message->getFrom();
         if (count($from)) {
             $from->rewind();
             $sender      = $from->current();
-            $parameters .= ' -f' . $sender->getEmail();
+            $parameters .= ' -f' . \escapeshellarg($sender->getEmail());
             return $parameters;
         }
 

test/Transport/SendmailTest.php

@@ -147,6 +147,22 @@ public function testCodeInjectionInFromHeader()
         $this->transport->send($message);
     }
 
+    /**
+     * @ref CVE-2016-10033 which targeted WordPress
+     */
+    public function testSecondCodeInjectionInFromHeader()
+    {
+        $this->setExpectedException(RuntimeException::class);
+
+        $message = $this->getMessage();
+        $message->setBody('This is the text of the email.');
+        $message->setFrom('user@xenial(tmp1 -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}test}}  tmp2)', 'Sender\'s name');
+
+        $message->addTo('hacker@localhost', 'Name of recipient');
+        $message->setSubject('TestSubject');
+        $this->transport->send($message);
+    }
+
     public function testValidEmailLocaDomainInFromHeader()
     {
         $message = $this->getMessage();