From fd0fd3b0a0c82a1a5cce4dc775886154e9bf9e14 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Fri, 10 May 2013 09:35:24 +0200 Subject: Fix handling of invalid email addresses in headers (#1489092) --- CHANGELOG | 1 + program/lib/Roundcube/rcube_mime.php | 5 +++++ program/steps/mail/func.inc | 7 ++++--- tests/Framework/Mime.php | 4 ++++ 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 43935159f..9a4fa70e6 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix handling of invalid email addresses in headers (#1489092) - Added attachment_reminder plugin - Fix IMAP connection issue with default_socket_timeout < 0 and imap_timeout < 0 (#1489090) - Fix various PHP code bugs found using static analysis (#1489086) diff --git a/program/lib/Roundcube/rcube_mime.php b/program/lib/Roundcube/rcube_mime.php index 63549fbec..596828814 100644 --- a/program/lib/Roundcube/rcube_mime.php +++ b/program/lib/Roundcube/rcube_mime.php @@ -361,6 +361,11 @@ class rcube_mime $address = $m[1]; $name = ''; } + // special case (#1489092) + else if (preg_match('/(\s*)$/', $val, $m)) { + $address = 'MAILER-DAEMON'; + $name = substr($val, 0, -strlen($m[1])); + } else { $name = $val; } diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index f86140eb1..7e763a2d8 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1417,9 +1417,10 @@ function rcmail_address_string($input, $max=null, $linked=false, $addicon=null, $name = $part['name']; $mailto = $part['mailto']; $string = $part['string']; + $valid = check_email($mailto, false); // phishing email prevention (#1488981), e.g. "valid@email.addr " - if (!$show_email && $name && $name != $mailto && strpos($name, '@')) { + if (!$show_email && $valid && $name && $name != $mailto && strpos($name, '@')) { $name = ''; } @@ -1435,7 +1436,7 @@ function rcmail_address_string($input, $max=null, $linked=false, $addicon=null, // for printing we display all addresses continue; } - else if (check_email($part['mailto'], false)) { + else if ($valid) { if ($linked) { $attrs = array( 'href' => 'mailto:' . $mailto, @@ -1476,7 +1477,7 @@ function rcmail_address_string($input, $max=null, $linked=false, $addicon=null, if ($name) $address .= Q($name); if ($mailto) - $address .= (strlen($address) ? ' ' : '') . sprintf('<%s>', Q($mailto)); + $address = trim($address . ' ' . Q($name ? sprintf('<%s>', $mailto) : $mailto)); } $address = html::span('adr', $address); diff --git a/tests/Framework/Mime.php b/tests/Framework/Mime.php index 3035ba062..d9f4163ec 100644 --- a/tests/Framework/Mime.php +++ b/tests/Framework/Mime.php @@ -39,6 +39,8 @@ class Framework_Mime extends PHPUnit_Framework_TestCase 19 => 'Test <"test test"@domain.tld>', 20 => '<"test test"@domain.tld>', 21 => '"test test"@domain.tld', + // invalid (#1489092) + 22 => '"John Doe @ SomeBusinessName" ', ); $results = array( @@ -64,6 +66,8 @@ class Framework_Mime extends PHPUnit_Framework_TestCase 19 => array(1, 'Test', '"test test"@domain.tld'), 20 => array(1, '', '"test test"@domain.tld'), 21 => array(1, '', '"test test"@domain.tld'), + // invalid (#1489092) + 22 => array(1, 'John Doe @ SomeBusinessName', 'MAILER-DAEMON'), ); foreach ($headers as $idx => $header) { -- cgit v1.2.3