[#ZF-5352] To,Cc,Bcc email fields injection - Zend Framework Issue Tracker

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.7.2
Fix Version/s: 1.7.3
Component/s: Zend_Mail
Labels:
None

Fix Version Priority:
Must Have

Description

Executing this code:

$mail = new Zend_Mail();
// ...
$mail->addCc('email@example.com', 'Injected email" <injected.email@example.com>, "Normal email');
$mail->send();

results in really sending an email with the following header:

Cc: "Injected email" <injected.email@example.com>, "Normal email" <email@example.com>

An even simpler way to add more recipients than expected:

$mail->addCc('email@example.com,another.email@example.com');

Same problem with $mail->addTo() or $mail->addBcc() .

I think that these methods should only add one single recipient, not more... (It would be a good protection from spam)

An easy way to correct the first problem should be by escaping (addcslashes()) the double-quote character (") with a backslash (\") when the recipient name needs to be quoted... This way the Cc header of the first example would be:
Cc: "Injected email\" <injected.email@example.com>, \"Normal email" <email@example.com>

For the second problem just checking for NO commas in the $email parameter should be ok.

Both these patches can be implemented within the method Zend_Mail::_addRecipientAndHeader().

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Satoru Yoshida added a comment - 03/Jan/09 1:07 AM

Solved in SVN r13498

make to change comma and double quote mark in mail address into question mark.

Show

Satoru Yoshida added a comment - 03/Jan/09 1:07 AM Solved in SVN r13498 make to change comma and double quote mark in mail address into question mark.

Hide

Permalink

Satoru Yoshida added a comment - 04/Jan/09 8:07 PM

I hear from Andrea Zilio that this issue rests some problem by email as following .

__from here__
What I wanted to say is that your svn commit (r13498) seems to solve only the second problem I've reported...
In fact running this code:

$mail = new Zend_Mail();
// ...
$mail->addCc('email@example.com', 'Injected email" <injected.email@example.com>, "Normal email');
$mail->send();

still sends an email with this header:

Cc: "Injected email" <injected.email@example.com>, "Normal email" <normal@example.com>

So the mail will be sent to two different recipients.

Andrea Zilio
__to here__

Show

Satoru Yoshida added a comment - 04/Jan/09 8:07 PM I hear from Andrea Zilio that this issue rests some problem by email as following . __from here__ What I wanted to say is that your svn commit (r13498) seems to solve only the second problem I've reported... In fact running this code:

$mail = new Zend_Mail();
// ...
$mail->addCc('email@example.com', 'Injected email" <injected.email@example.com>, "Normal email');
$mail->send();

still sends an email with this header: Cc: "Injected email" <injected.email@example.com>, "Normal email" <normal@example.com> So the mail will be sent to two different recipients. Andrea Zilio __to here__

Hide

Permalink

Satoru Yoshida added a comment - 10/Jan/09 5:09 AM

Solved in SVN r
I add _filterName() function.

The function changes the double quotation to single quotation and the angle brackets to square brackets.

Show

Satoru Yoshida added a comment - 10/Jan/09 5:09 AM Solved in SVN r I add _filterName() function. The function changes the double quotation to single quotation and the angle brackets to square brackets.

People

Assignee:

Satoru Yoshida

Reporter:

Andrea Zilio

Vote (1)

Watch (2)

Dates

Created:

25/Dec/08 6:39 PM

Updated:

10/Jan/09 5:10 AM

Resolved:

10/Jan/09 5:09 AM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

3h 10m