diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2016-12-29 18:26:41 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-12-29 18:26:41 +0300 |
| commit | 5b8b0b46fe50455a38750edb7099d2c7e047163d (patch) | |
| tree | f8bd4acc53c449200a8c07f3ee53ae2f3167ffb9 | |
| parent | cba0f29cd541dc796dbc41d79fca9171321cb2e2 (diff) | |
| parent | cc405e7ffef7f9028094174cadcc1a7dd9a181fc (diff) | |
Merge pull request #27 from nextcloud/stable10-swift-cherry-pickv10.0.6RC1v10.0.6v10.0.5RC2v10.0.5RC1v10.0.5v10.0.4RC1v10.0.4v10.0.3RC1v10.0.3stable10
[stable10] Swift transport
| -rw-r--r-- | swiftmailer/swiftmailer/lib/classes/Swift/Transport/MailTransport.php | 52 |
1 files changed, 50 insertions, 2 deletions
diff --git a/swiftmailer/swiftmailer/lib/classes/Swift/Transport/MailTransport.php b/swiftmailer/swiftmailer/lib/classes/Swift/Transport/MailTransport.php index 1ec36e30..681c5426 100644 --- a/swiftmailer/swiftmailer/lib/classes/Swift/Transport/MailTransport.php +++ b/swiftmailer/swiftmailer/lib/classes/Swift/Transport/MailTransport.php @@ -163,8 +163,7 @@ class Swift_Transport_MailTransport implements Swift_Transport $body = str_replace("\r\n.", "\r\n..", $body); } - if ($this->_invoker->mail($to, $subject, $body, $headers, - sprintf($this->_extraParams, $reversePath))) { + if ($this->_invoker->mail($to, $subject, $body, $headers, $this->_formatExtraParams($this->_extraParams, $reversePath))) { if ($evt) { $evt->setResult(Swift_Events_SendEvent::RESULT_SUCCESS); $evt->setFailedRecipients($failedRecipients); @@ -192,6 +191,55 @@ class Swift_Transport_MailTransport implements Swift_Transport return $count; } + + /** + * Fix CVE-2016-10074 by disallowing potentially unsafe shell characters. + * + * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows. + * + * @param string $string The string to be validated + * + * @return bool + */ + private function _isShellSafe($string) + { + // Future-proof + if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) { + return false; + } + $length = strlen($string); + for ($i = 0; $i < $length; ++$i) { + $c = $string[$i]; + // All other characters have a special meaning in at least one common shell, including = and +. + // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here. + // Note that this does permit non-Latin alphanumeric characters based on the current locale. + if (!ctype_alnum($c) && strpos('@_-.', $c) === false) { + return false; + } + } + return true; + } + + /** + * Return php mail extra params to use for invoker->mail. + * + * @param $extraParams + * @param $reversePath + * + * @return string|null + */ + private function _formatExtraParams($extraParams, $reversePath) + { + if (false !== strpos($extraParams, '-f%s')) { + if (empty($reversePath) || false === $this->_isShellSafe($reversePath)) { + $extraParams = str_replace('-f%s', '', $extraParams); + } else { + $extraParams = sprintf($extraParams, $reversePath); + } + } + return !empty($extraParams) ? $extraParams : null; + } + /** * Register a plugin. * |