Issue Type: Bug Created: 2008-12-25T18:39:32.000+0000 Last Updated: 2012-03-14T05:51:49.000+0000 Status: Resolved Fix version(s): - 1.7.3 (19/Jan/09)
Reporter: Andrea Zilio (epper) Assignee: Satoru Yoshida (satoruyoshida) Tags: - Zend_Mail
Related issues: Attachments:
Executing this code:
$mail = new Zend_Mail(); // ... $mail->addCc('email@example.com', 'Injected email" firstname.lastname@example.org, "Normal email'); $mail->send();
results in really sending an email with the following header:
An even simpler way to add more recipients than expected:
Same problem with $mail->addTo() or $mail->addBcc() .
I think that these methods should only add one single recipient, not more... (It would be a good protection from spam)
An easy way to correct the first problem should be by escaping (addcslashes()) the double-quote character (") with a backslash (\") when the recipient name needs to be quoted... This way the Cc header of the first example would be: Cc: "Injected email\" email@example.com, \"Normal email" firstname.lastname@example.org
For the second problem just checking for NO commas in the $email parameter should be ok.
Both these patches can be implemented within the method Zend_Mail::_addRecipientAndHeader().
Posted by old of Satoru Yoshida (email@example.com) on 2009-01-03T01:07:27.000+0000
Solved in SVN r13498
make to change comma and double quote mark in mail address into question mark.
Posted by old of Satoru Yoshida (firstname.lastname@example.org) on 2009-01-04T20:07:43.000+0000
I hear from Andrea Zilio that this issue rests some problem by email as following .
from here What I wanted to say is that your svn commit (r13498) seems to solve only the second problem I've reported... In fact running this code:
<pre class="highlight"> $mail = new Zend_Mail(); // ... $mail->addCc('email@example.com', 'Injected email" , "Normal email'); $mail->send();
still sends an email with this header:
So the mail will be sent to two different recipients.
Andrea Zilio to here
Posted by old of Satoru Yoshida (firstname.lastname@example.org) on 2009-01-10T05:09:32.000+0000
Solved in SVN r I add _filterName() function.
The function changes the double quotation to single quotation and the angle brackets to square brackets.
Have you found an issue?
See the Overview section for more details.