mirror/php-monolog
1
0
Fork 0
mirror of https://github.com/Seldaek/monolog.git synced 2025-08-08 14:16:42 +02:00
Code Issues Releases Wiki Activity

sanitize http headers in NativeMailerHandler to prevent injections. added tests.

Browse Source
This commit is contained in:
Markus Staab
2013-02-13 14:57:58 +01:00
parent 9dc4ffc071
commit 6c888417b6
2 changed files with 50 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/Monolog/Handler/NativeMailerHandler.php
View File

@@ -38,7 +38,7 @@ class NativeMailerHandler extends MailHandler
parent::__construct($level, $bubble); parent::__construct($level, $bubble);
$this->to = is_array($to) ? $to : array($to); $this->to = is_array($to) ? $to : array($to);
$this->subject = $subject; $this->subject = $subject;
$this->headers[] = sprintf('From: %s', $from); $this->addHeader(sprintf('From: %s', $from));
} }
/** /**
@@ -46,10 +46,11 @@ class NativeMailerHandler extends MailHandler
*/ */
public function addHeader($headers) public function addHeader($headers)
{ {
if (is_array($headers)) { foreach ((array) $headers as $header) {
$this->headers = array_merge($this->headers, $headers); if (strpos($header, "\n") !== false || strpos($header, "\r") !== false) {
} else { throw new \InvalidArgumentException('headers are not allowed to contain newline characters!');
$this->headers[] = $headers; }
$this->headers[] = $header;
} }
} }

44
tests/Monolog/Handler/NativeMailerHandlerTest.php Normal file
View File

@@ -0,0 +1,44 @@
<?php
/*
* This file is part of the Monolog package.
*
* (c) Jordi Boggiano <j.boggiano@seld.be>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Monolog\Handler;
use Monolog\Logger;
use Monolog\TestCase;
class NativeMailerHandlerTest extends TestCase
{
/**
* @expectedException InvalidArgumentException
*/
public function testConstructorHeaderInjection()
{
$mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', "receiver@example.org\r\nFrom: faked@attacker.org");
}
/**
* @expectedException InvalidArgumentException
*/
public function testSetterHeaderInjection()
{
$mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
$mailer->addHeader("Content-Type: text/html\r\nFrom: faked@attacker.org");
}
/**
* @expectedException InvalidArgumentException
*/
public function testSetterArrayHeaderInjection()
{
$mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
$mailer->addHeader(array("Content-Type: text/html\r\nFrom: faked@attacker.org"));
}
}