[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_28]: Escape return path extra params to php mail()

Wed, 11 Jan 2017 11:34:34 -0800 

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/331663 )

Change subject: Escape return path extra params to php mail()
......................................................................


Escape return path extra params to php mail()

PHP only escapes some dangerous shell characters. This is a hardening
measure, as MW's sanitizeEmail routines should also have prevented
evil characters from being in mail addresses in the first place.

Bug: T152717
Change-Id: I3736d612ed40d257ee3dde8e98eb30ccf432670a
(cherry picked from commit d2aba5a04ea17753eae7ab8b7ab049473147ff37)
---
M RELEASE-NOTES-1.28
M includes/mail/UserMailer.php
2 files changed, 9 insertions(+), 1 deletion(-)

Approvals:
  MaxSem: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index 94767b8..dc91bce 100644
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -7,6 +7,7 @@
   wikis with $wgJobRunRate > 0.
 * Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki 
has
   more than one database server setup.
+* (T152717) Better escaping for PHP mail() command
 
 == MediaWiki 1.28 ==
 
diff --git a/includes/mail/UserMailer.php b/includes/mail/UserMailer.php
index 1059d7b..f3361fb 100644
--- a/includes/mail/UserMailer.php
+++ b/includes/mail/UserMailer.php
@@ -268,7 +268,14 @@
                // Add the envelope sender address using the -f command line 
option when PHP mail() is used.
                // Will default to the $from->address when the 
UserMailerChangeReturnPath hook fails and the
                // generated VERP address when the hook runs effectively.
-               $extraParams .= ' -f ' . $returnPath;
+
+               // PHP runs this through escapeshellcmd(). However that's not 
sufficient
+               // escaping (e.g. due to spaces). MediaWiki's email sanitizer 
should generally
+               // be good enough, but just in case, put in double quotes, and 
remove any
+               // double quotes present (" is not allowed in emails, so should 
have no
+               // effect, although this might cause apostrophees to be double 
escaped)
+               $returnPathCLI = '"' . str_replace( '"', '', $returnPath ) . 
'"';
+               $extraParams .= ' -f ' . $returnPathCLI;
 
                $headers['Return-Path'] = $returnPath;
 

-- 
To view, visit https://gerrit.wikimedia.org/r/331663
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I3736d612ed40d257ee3dde8e98eb30ccf432670a
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_28
Gerrit-Owner: Brian Wolff <[email protected]>
Gerrit-Reviewer: MaxSem <[email protected]>
Gerrit-Reviewer: Reedy <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to