ZF-5352: To,Cc,Bcc email fields injection


Executing this code:

{{$mail = new Zend_Mail();}} {{// ...}} {{$mail->addCc('', 'Injected email", "Normal email');}} {{$mail->send();}}

results in really sending an email with the following header:

{{Cc: "Injected email", "Normal email"}}

An even simpler way to add more recipients than expected:


Same problem with $mail->addTo() or $mail->addBcc() .

I think that these methods should only add one single recipient, not more... (It would be a good protection from spam)

An easy way to correct the first problem should be by escaping (addcslashes()) the double-quote character (") with a backslash (\") when the recipient name needs to be quoted... This way the Cc header of the first example would be: {{Cc: "Injected email\", \"Normal email"}}

For the second problem just checking for NO commas in the $email parameter should be ok.

Both these patches can be implemented within the method Zend_Mail::_addRecipientAndHeader().


Solved in SVN r13498

make to change comma and double quote mark in mail address into question mark.

I hear from Andrea Zilio that this issue rests some problem by email as following .

from here What I wanted to say is that your svn commit (r13498) seems to solve only the second problem I've reported... In fact running this code:

$mail = new Zend_Mail();
// ...
$mail->addCc('', 'Injected email" , "Normal email');

still sends an email with this header:

Cc: "Injected email", "Normal email"

So the mail will be sent to two different recipients.

Andrea Zilio to here

Solved in SVN r I add _filterName() function.

The function changes the double quotation to single quotation and the angle brackets to square brackets.