From 59905091396a37bd4be6a38a1934117315ef7d6c Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Thu, 23 Aug 2007 20:45:34 +0000
Subject: Bug 386860: [SECURITY] Insufficient escaping of From address when
 using Sendmail - Patch by Max Kanat-Alexander <mkanat@bugzilla.org>
 r/a=LpSolit

---
 Bugzilla/Mailer.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'Bugzilla/Mailer.pm')

diff --git a/Bugzilla/Mailer.pm b/Bugzilla/Mailer.pm
index b4b2f320d..03f370a4e 100644
--- a/Bugzilla/Mailer.pm
+++ b/Bugzilla/Mailer.pm
@@ -44,6 +44,7 @@ use Bugzilla::Util;
 use Date::Format qw(time2str);
 
 use Encode qw(encode);
+use Email::Address;
 use Email::MIME;
 # Loading this gives us encoding_set.
 use Email::MIME::Modifier;
@@ -80,7 +81,14 @@ sub MessageToMTA {
             $Email::Send::Sendmail::SENDMAIL = SENDMAIL_EXE;
         }
         push @args, "-i";
-        push(@args, "-f$from") if $from;
+        # We want to make sure that we pass *only* an email address.
+        if ($from) {
+            my ($email_obj) = Email::Address->parse($from);
+            if ($email_obj) {
+                my $from_email = $email_obj->address;
+                push(@args, "-f$from_email") if $from_email;
+            }
+        }
         push(@args, "-ODeliveryMode=deferred")
             if !Bugzilla->params->{"sendmailnow"};
     }
-- 
cgit v1.2.3-24-g4f1b