summaryrefslogtreecommitdiffstats
path: root/system/libraries
diff options
context:
space:
mode:
Diffstat (limited to 'system/libraries')
-rw-r--r--system/libraries/Email.php58
-rw-r--r--system/libraries/Image_lib.php39
2 files changed, 76 insertions, 21 deletions
diff --git a/system/libraries/Email.php b/system/libraries/Email.php
index bfff8953b..1483f2203 100644
--- a/system/libraries/Email.php
+++ b/system/libraries/Email.php
@@ -450,7 +450,6 @@ class CI_Email {
$this->_headers = array();
$this->_debug_msg = array();
- $this->set_header('User-Agent', $this->useragent);
$this->set_header('Date', $this->_set_date());
if ($clear_attachments !== FALSE)
@@ -1824,6 +1823,33 @@ class CI_Email {
// --------------------------------------------------------------------
/**
+ * Validate email for shell
+ *
+ * Applies stricter, shell-safe validation to email addresses.
+ * Introduced to prevent RCE via sendmail's -f option.
+ *
+ * @see https://github.com/bcit-ci/CodeIgniter/issues/4963
+ * @see https://gist.github.com/Zenexer/40d02da5e07f151adeaeeaa11af9ab36
+ * @license https://creativecommons.org/publicdomain/zero/1.0/ CC0 1.0, Public Domain
+ *
+ * Credits for the base concept go to Paul Buonopane <paul@namepros.com>
+ *
+ * @param string $email
+ * @return bool
+ */
+ protected function _validate_email_for_shell(&$email)
+ {
+ if (function_exists('idn_to_ascii') && $atpos = strpos($email, '@'))
+ {
+ $email = self::substr($email, 0, ++$atpos).idn_to_ascii(self::substr($email, $atpos));
+ }
+
+ return (filter_var($email, FILTER_VALIDATE_EMAIL) === $email && preg_match('#\A[a-z0-9._+-]+@[a-z0-9.-]{1,253}\z#i', $email));
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
* Send using mail()
*
* @return bool
@@ -1835,9 +1861,18 @@ class CI_Email {
$this->_recipients = implode(', ', $this->_recipients);
}
+ // _validate_email_for_shell() below accepts by reference,
+ // so this needs to be assigned to a variable
+ $from = $this->clean_email($this->_headers['Return-Path']);
+
+ if ( ! $this->_validate_email_for_shell($from))
+ {
+ return mail($this->_recipients, $this->_subject, $this->_finalbody, $this->_header_str);
+ }
+
// most documentation of sendmail using the "-f" flag lacks a space after it, however
// we've encountered servers that seem to require it to be in place.
- return mail($this->_recipients, $this->_subject, $this->_finalbody, $this->_header_str, '-f '.$this->clean_email($this->_headers['Return-Path']));
+ return mail($this->_recipients, $this->_subject, $this->_finalbody, $this->_header_str, '-f '.$from);
}
// --------------------------------------------------------------------
@@ -1849,13 +1884,22 @@ class CI_Email {
*/
protected function _send_with_sendmail()
{
+ // _validate_email_for_shell() below accepts by reference,
+ // so this needs to be assigned to a variable
+ $from = $this->clean_email($this->_headers['From']);
+ if ($this->_validate_email_for_shell($from))
+ {
+ $from = '-f '.$from;
+ }
+ else
+ {
+ $from = '';
+ }
+
// is popen() enabled?
- if ( ! function_usable('popen')
- OR FALSE === ($fp = @popen(
- $this->mailpath.' -oi -f '.escapeshellarg($this->clean_email($this->_headers['From'])).' -t'
- , 'w'))
- ) // server probably has popen disabled, so nothing we can do to get a verbose error.
+ if ( ! function_usable('popen') OR FALSE === ($fp = @popen($this->mailpath.' -oi '.$from.' -t', 'w')))
{
+ // server probably has popen disabled, so nothing we can do to get a verbose error.
return FALSE;
}
diff --git a/system/libraries/Image_lib.php b/system/libraries/Image_lib.php
index ebcfc6748..8b5a1adb0 100644
--- a/system/libraries/Image_lib.php
+++ b/system/libraries/Image_lib.php
@@ -392,6 +392,16 @@ class CI_Image_lib {
$this->initialize($props);
}
+ /**
+ * A work-around for some improperly formatted, but
+ * usable JPEGs; known to be produced by Samsung
+ * smartphones' front-facing cameras.
+ *
+ * @see https://github.com/bcit-ci/CodeIgniter/issues/4967
+ * @see https://bugs.php.net/bug.php?id=72404
+ */
+ ini_set('gd.jpeg_ignore_warning', 1);
+
log_message('info', 'Image Lib Class Initialized');
}
@@ -1644,25 +1654,26 @@ class CI_Image_lib {
$this->set_error('imglib_invalid_image');
return FALSE;
}
+
$types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png');
- $mime = (isset($types[$vals[2]])) ? 'image/'.$types[$vals[2]] : 'image/jpg';
+ $mime = isset($types[$vals[2]]) ? 'image/'.$types[$vals[2]] : 'image/jpg';
if ($return === TRUE)
{
return array(
- 'width' => $vals[0],
- 'height' => $vals[1],
- 'image_type' => $vals[2],
- 'size_str' => $vals[3],
- 'mime_type' => $mime
- );
- }
-
- $this->orig_width = $vals[0];
- $this->orig_height = $vals[1];
- $this->image_type = $vals[2];
- $this->size_str = $vals[3];
- $this->mime_type = $mime;
+ 'width' => $vals[0],
+ 'height' => $vals[1],
+ 'image_type' => $vals[2],
+ 'size_str' => $vals[3],
+ 'mime_type' => $mime
+ );
+ }
+
+ $this->orig_width = $vals[0];
+ $this->orig_height = $vals[1];
+ $this->image_type = $vals[2];
+ $this->size_str = $vals[3];
+ $this->mime_type = $mime;
return TRUE;
}