mirror/php-monolog
1
0
Fork 0
mirror of https://github.com/Seldaek/monolog.git synced 2025-08-07 13:46:38 +02:00
Code Issues Releases Wiki Activity

sanitize http headers in NativeMailerHandler to prevent injections. added tests.

Browse Source
This commit is contained in:
Markus Staab
2013-02-13 14:57:58 +01:00
parent 9dc4ffc071
commit 6c888417b6
2 changed files with 50 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/Monolog/Handler/NativeMailerHandler.php
View File

@@ -38,7 +38,7 @@ class NativeMailerHandler extends MailHandler
parent::__construct($level, $bubble);
$this->to = is_array($to) ? $to : array($to);
$this->subject = $subject;
$this->headers[] = sprintf('From: %s', $from);
$this->addHeader(sprintf('From: %s', $from));
}
/**
@@ -46,10 +46,11 @@ class NativeMailerHandler extends MailHandler
*/
public function addHeader($headers)
{
if (is_array($headers)) {
$this->headers = array_merge($this->headers, $headers);
} else {
$this->headers[] = $headers;
foreach ((array) $headers as $header) {
if (strpos($header, "\n") !== false || strpos($header, "\r") !== false) {
throw new \InvalidArgumentException('headers are not allowed to contain newline characters!');
}
$this->headers[] = $header;
}
}

44
tests/Monolog/Handler/NativeMailerHandlerTest.php Normal file
View File

@@ -0,0 +1,44 @@
<?php
/*
* This file is part of the Monolog package.
*
* (c) Jordi Boggiano <j.boggiano@seld.be>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Monolog\Handler;
use Monolog\Logger;
use Monolog\TestCase;
class NativeMailerHandlerTest extends TestCase
{
/**
* @expectedException InvalidArgumentException
*/
public function testConstructorHeaderInjection()
{
$mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', "receiver@example.org\r\nFrom: faked@attacker.org");
}
/**
* @expectedException InvalidArgumentException
*/
public function testSetterHeaderInjection()
{
$mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
$mailer->addHeader("Content-Type: text/html\r\nFrom: faked@attacker.org");
}
/**
* @expectedException InvalidArgumentException
*/
public function testSetterArrayHeaderInjection()
{
$mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
$mailer->addHeader(array("Content-Type: text/html\r\nFrom: faked@attacker.org"));
}
}