Issue Details (XML | Word | Printable)

Key: ZF-5352
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Satoru Yoshida
Reporter: Andrea Zilio
Votes: 1
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
Google issue summary
Zend Framework

To,Cc,Bcc email fields injection

Created: 25/Dec/08 06:39 PM   Updated: 10/Jan/09 05:10 AM   Resolved: 10/Jan/09 05:09 AM
Return to search "Fixed in 1.5.1"
Component/s: Zend_Mail
Affects Version/s: 1.7.2
Fix Version/s: 1.7.3

Time Tracking:
Original Estimate: Not Specified
Remaining Estimate: 0 minutes
Remaining Estimate - 0 minutes
Time Spent: 3 hours, 10 minutes
Time Spent - 3 hours, 10 minutes

Fix Version Priority: Must Have


 Description  « Hide

Executing this code:

$mail = new Zend_Mail();
// ...
$mail->addCc('email@example.com', 'Injected email" <injected.email@example.com>, "Normal email');
$mail->send();

results in really sending an email with the following header:

Cc: "Injected email" <injected.email@example.com>, "Normal email" <email@example.com>

An even simpler way to add more recipients than expected:

$mail->addCc('email@example.com,another.email@example.com');

Same problem with $mail->addTo() or $mail->addBcc() .

I think that these methods should only add one single recipient, not more... (It would be a good protection from spam)

An easy way to correct the first problem should be by escaping (addcslashes()) the double-quote character (") with a backslash (\") when the recipient name needs to be quoted... This way the Cc header of the first example would be:
Cc: "Injected email\" <injected.email@example.com>, \"Normal email" <email@example.com>

For the second problem just checking for NO commas in the $email parameter should be ok.

Both these patches can be implemented within the method Zend_Mail::_addRecipientAndHeader().

Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Satoru Yoshida added a comment - 03/Jan/09 01:07 AM

Solved in SVN r13498

make to change comma and double quote mark in mail address into question mark.


[ Permalink | « Hide ]
Satoru Yoshida added a comment - 04/Jan/09 08:07 PM

I hear from Andrea Zilio that this issue rests some problem by email as following .

__from here__
What I wanted to say is that your svn commit (r13498) seems to solve only the second problem I've reported...
In fact running this code:

$mail = new Zend_Mail();
// ...
$mail->addCc('email@example.com', 'Injected email" <injected.email@example.com>, "Normal email');
$mail->send();

still sends an email with this header:

Cc: "Injected email" <injected.email@example.com>, "Normal email" <normal@example.com>

So the mail will be sent to two different recipients.

Andrea Zilio
__to here__


[ Permalink | « Hide ]
Satoru Yoshida added a comment - 10/Jan/09 05:09 AM

Solved in SVN r
I add _filterName() function.

The function changes the double quotation to single quotation and the angle brackets to square brackets.
Atlassian JIRA (v4.0#466) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.