Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.2.0

Bug #16200 security hole allow to read/write Arbitrary File
Submitted: 2009-05-07 10:16 UTC Modified: 2010-02-08 08:01 UTC
From: websec Assigned: davidc
Status: Closed Package: Mail (version 1.1.14)
PHP Version: 5.2.5 OS: linux
Roadmaps: (Not assigned)    
Subscription  



Patch quick-fix Revisions
Revision 2009-05-08 04:36 UTC
Developer doconnor
 
Download patch

? bug16200.diff
Index: sendmail.php
===================================================================
RCS file: /repository/pear/Mail/Mail/sendmail.php,v
retrieving revision 1.19
diff -u -r1.19 sendmail.php
--- sendmail.php	6 Oct 2007 17:00:00 -0000	1.19
+++ sendmail.php	8 May 2009 03:36:53 -0000
@@ -1,4 +1,6 @@
 <?php
+require_once 'Validate.php';
+
 //
 // +----------------------------------------------------------------------+
 // | PHP Version 4                                                        |
@@ -142,6 +144,12 @@
         }
 
         $from = escapeShellCmd($from);
+
+        if (!Validate::email($from)) {
+            return PEAR::raiseError('From address is not a valid email address');
+        }
+
+
         $mail = @popen($this->sendmail_path . (!empty($this->sendmail_args) ? ' ' . $this->sendmail_args : '') . " -f$from -- $recipients", 'w');
         if (!$mail) {
             return PEAR::raiseError('Failed to open sendmail [' . $this->sendmail_path . '] for execution.');