Bug #16200 :: security hole allow to read/write Arbitrary File

Package home | Report new bug | New search | Development Roadmap

Status: Open | Feedback | All | Closed Since Version 1.2.0

Bug #16200	security hole allow to read/write Arbitrary File
Submitted:	2009-05-07 10:16 UTC	Modified:	2010-02-08 08:01 UTC
From:	websec	Assigned:	davidc
Status:	Closed	Package:	Mail (version 1.1.14)
PHP Version:	5.2.5	OS:	linux
Roadmaps:	(Not assigned)
Subscription	Your email:

Comments Patches (1) Add Comment Add patch Patch details

Patch	quick-fix	Revisions	2009-05-08 04:36 UTC Upload new revision
Revision	2009-05-08 04:36 UTC
Developer	doconnor

	Download patch

? bug16200.diff
Index: sendmail.php
===================================================================
RCS file: /repository/pear/Mail/Mail/sendmail.php,v
retrieving revision 1.19
diff -u -r1.19 sendmail.php
--- sendmail.php	6 Oct 2007 17:00:00 -0000	1.19
+++ sendmail.php	8 May 2009 03:36:53 -0000
@@ -1,4 +1,6 @@
 <?php
+require_once 'Validate.php';
+
 //
 // +----------------------------------------------------------------------+
 // | PHP Version 4                                                        |
@@ -142,6 +144,12 @@
         }
 
         $from = escapeShellCmd($from);
+
+        if (!Validate::email($from)) {
+            return PEAR::raiseError('From address is not a valid email address');
+        }
+
+
         $mail = @popen($this->sendmail_path . (!empty($this->sendmail_args) ? ' ' . $this->sendmail_args : '') . " -f$from -- $recipients", 'w');
         if (!$mail) {
             return PEAR::raiseError('Failed to open sendmail [' . $this->sendmail_path . '] for execution.');