summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2013-03-12 08:43:21 +0100
committerAleksander Machniak <alec@alec.pl>2013-03-12 08:44:03 +0100
commit097c544d98bbeee7d120af549116da57ee448ca5 (patch)
treefb43937fe729737b7bf1d5c302496e3ddaf7735f
parent2bbbca39ffdf99e5acc2d160c06ceed2f461e18f (diff)
Don't show fake address - phishing prevention (#1488981)
-rw-r--r--CHANGELOG1
-rw-r--r--program/steps/mail/func.inc5
2 files changed, 6 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 5eab3eaf0..a7d64a751 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================
+- Don't show fake address - phishing prevention (#1488981)
- Fix forward as attachment bug with editormode != 1 (#1488991)
- Fix LIMIT/OFFSET queries handling on MS SQL Server (#1488984)
- Fix javascript errors when working in a page opened with taget="_blank"
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 19290e40a..92f32f910 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -1440,6 +1440,11 @@ function rcmail_address_string($input, $max=null, $linked=false, $addicon=null,
$mailto = $part['mailto'];
$string = $part['string'];
+ // phishing email prevention (#1488981), e.g. "valid@email.addr <phishing@email.addr>"
+ if ($name && $name != $mailto && strpos($name, '@')) {
+ $name = '';
+ }
+
// IDNA ASCII to Unicode
if ($name == $mailto)
$name = rcube_idn_to_utf8($name);