MDL-57531 mail: Validate the sender's email address

The patch adds validation for the noreplyaddress setting variable, for the explicit $replyto parameter and for the sender's email. In case of misconfigured noreplyaddress setting, it falls back to the default noreply address value. In case of invalid email in the user's record, the email is not sent. The patch also adds unit test for the value returned by the function generate_email_processing_address() so that it can be considered as a valid email, too. This is supposed to significantly minimise the risk of exploiting the vulnerability in PHPMailer's Sender field.
2025-01-18 05:58:34 +01:00 · 2017-01-03 22:09:30 +01:00 · 2017-01-03 22:09:30 +01:00 · 61367eb639
commit 61367eb639
parent 066ec13585
3 changed files with 56 additions and 1 deletions
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@ -5766,7 +5766,13 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml = '',
    $tempreplyto = array();

    // Make sure that we fall back onto some reasonable no-reply address.
-    $noreplyaddress = empty($CFG->noreplyaddress) ? 'noreply@' . get_host_from_url($CFG->wwwroot) : $CFG->noreplyaddress;
+    $noreplyaddressdefault = 'noreply@' . get_host_from_url($CFG->wwwroot);
+    $noreplyaddress = empty($CFG->noreplyaddress) ? $noreplyaddressdefault : $CFG->noreplyaddress;
+
+    if (!validate_email($noreplyaddress)) {
+        debugging('email_to_user: Invalid noreply-email '.s($noreplyaddress));
+        $noreplyaddress = $noreplyaddressdefault;
+    }

    // Make up an email address for handling bounces.
    if (!empty($CFG->handlebounces)) {
@ -5776,6 +5782,12 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml = '',
        $mail->Sender = $noreplyaddress;
    }

+    // Make sure that the explicit replyto is valid, fall back to the implicit one.
+    if (!empty($replyto) && !validate_email($replyto)) {
+        debugging('email_to_user: Invalid replyto-email '.s($replyto));
+        $replyto = $noreplyaddress;
+    }
+
    $alloweddomains = null;
    if (!empty($CFG->allowedemaildomains)) {
        $alloweddomains = explode(PHP_EOL, $CFG->allowedemaildomains);
@ -5793,6 +5805,11 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml = '',
    // and that the senders email setting is either displayed to everyone, or display to only other users that are enrolled
    // in a course with the sender.
    } else if ($usetrueaddress && can_send_from_real_email_address($from, $user, $alloweddomains)) {
+        if (!validate_email($from->email)) {
+            debugging('email_to_user: Invalid from-email '.s($from->email).' - not sending');
+            // Better not to use $noreplyaddress in this case.
+            return false;
+        }
        $mail->From = $from->email;
        $fromdetails = new stdClass();
        $fromdetails->name = fullname($from);
--- a/lib/tests/moodlelib_test.php
+++ b/lib/tests/moodlelib_test.php
@ -3425,4 +3425,27 @@ class core_moodlelib_testcase extends advanced_testcase {
             'samecourse' => false, 'result' => false],
        ];
    }
+
+    /**
+     * Test that generate_email_processing_address() returns valid email address.
+     */
+    public function test_generate_email_processing_address() {
+        global $CFG;
+        $this->resetAfterTest();
+
+        $data = (object)[
+            'id' => 42,
+            'email' => 'my.email+from_moodle@example.com',
+        ];
+
+        $modargs = 'B'.base64_encode(pack('V', $data->id)).substr(md5($data->email), 0, 16);
+
+        $CFG->maildomain = 'example.com';
+        $CFG->mailprefix = 'mdl+';
+        $this->assertEquals(1, validate_email(generate_email_processing_address(0, $modargs)));
+
+        $CFG->maildomain = 'mail.example.com';
+        $CFG->mailprefix = 'mdl-';
+        $this->assertEquals(1, validate_email(generate_email_processing_address(23, $modargs)));
+    }
 }
--- a/lib/tests/weblib_test.php
+++ b/lib/tests/weblib_test.php
@ -665,4 +665,19 @@ EXPECTED;
        );
    }

+    /**
+     * Tests for validate_email() function.
+     */
+    public function test_validate_email() {
+
+        $this->assertEquals(1, validate_email('moodle@example.com'));
+        $this->assertEquals(1, validate_email('moodle@localhost.local'));
+        $this->assertEquals(1, validate_email('verp_email+is=mighty@moodle.org'));
+        $this->assertEquals(1, validate_email("but_potentially'dangerous'too@example.org"));
+        $this->assertEquals(1, validate_email('posts+AAAAAAAAAAIAAAAAAAAGQQAAAAABFSXz1eM/P/lR2bYyljM+@posts.moodle.org'));
+
+        $this->assertEquals(0, validate_email('moodle@localhost'));
+        $this->assertEquals(0, validate_email('"attacker\\" -oQ/tmp/ -X/var/www/vhost/moodle/backdoor.php  some"@email.com'));
+        $this->assertEquals(0, validate_email("moodle@example.com>\r\nRCPT TO:<victim@example.com"));
+    }
 }