- Timestamp:
- Dec 6, 2006 11:08:07 PM (17 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/lib/Email.inc.php
r201 r212 40 40 'subject' => null, 41 41 'headers' => null, 42 'regex' => null 42 'regex' => null, 43 44 // A single carriage return (\n) should terminate lines for locally injected mail. 45 // A carriage return + line-feed (\r\n) should be used if sending mail directly with SMTP. 46 'crlf' => "\n", 47 48 // RFC 2822 says line length MUST be no more than 998 characters, and SHOULD be no more than 78 characters, excluding the CRLF. 49 // http://mailformat.dan.info/body/linelength.html 50 'wrap' => true, 51 'line_length' => 75, 43 52 ); 44 53 … … 255 264 256 265 // Wrap email text body, using _template_replaced if replacements have been used, or just a fresh _template if not. 257 $final_body = wordwrap(isset($this->_template_replaced) ? $this->_template_replaced : $this->_template); 266 $final_body = isset($this->_template_replaced) ? $this->_template_replaced : $this->_template; 267 if (false !== $this->getParam('wrap')) { 268 $final_body = wordwrap($final_body, $this->getParam('line_length'), $this->getParam('crlf')); 269 } 258 270 259 271 // Ensure all placeholders have been replaced. Find anything with {...} characters. … … 279 291 $final_headers[] = sprintf('%s: %s', $key, $val); 280 292 } 281 $final_headers = join( "\r\n", $final_headers);293 $final_headers = join($this->getParam('crlf'), $final_headers); 282 294 283 295 // This is the address where delivery problems are sent to. We must strip off everything except the local@domain part. 284 $envelope_sender_header = sprintf('-f %s', preg_replace('/^.*<?([^\s@\[\]<>()]+\@[A-Za-z0-9.-]{1,}\.[A-Za-z]{2,5})>?$/iU', '$1', $this->_params['from'])); 296 $envelope_sender_address = preg_replace('/^.*<?([^\s@\[\]<>()]+\@[A-Za-z0-9.-]{1,}\.[A-Za-z]{2,5})>?$/iU', '$1', $this->_params['from']); 297 if ('' != $envelope_sender_address && $this->validEmail($envelope_sender_address)) { 298 $envelope_sender_header = sprintf('-f %s', $envelope_sender_address); 299 } else { 300 $envelope_sender_header = ''; 301 } 285 302 286 303 // Check for mail header injection attacks. 287 $full_mail_content = join( "\n", array($final_to, $this->_params['subject'], $final_body, $final_headers, $envelope_sender_header));288 if (preg_match("/( Content-Type:|MIME-Version:|Content-Transfer-Encoding:|[\n\r]Bcc:|[\n\r]Cc:)/i", $full_mail_content)) {304 $full_mail_content = join($this->getParam('crlf'), array($final_to, $this->_params['subject'], $final_body)); 305 if (preg_match("/(^|[\n\r])(Content-Type|MIME-Version|Content-Transfer-Encoding|Bcc|Cc):/i", $full_mail_content)) { 289 306 $app->logMsg(sprintf('Mail header injection attack in content: %s', $full_mail_content), LOG_WARNING, __FILE__, __LINE__); 290 307 sleep(3);
Note: See TracChangeset
for help on using the changeset viewer.