From 1c199e29b1c40c9b2fb26760569ac3e33423291f Mon Sep 17 00:00:00 2001
From: Petr Skoda <commits@skodak.org>
Date: Sat, 21 Jan 2012 15:21:08 +0100
Subject: [PATCH] MDL-31202 do not try sending emails to invalid addresses

The use of mtrace() in email_to_user() is most probably incorrect, I am going to use it only in CLI scripts (which includes cron). This should not be considered a security issue because we should be already validating emails when accepting them from untrusted users.
---
 lib/moodlelib.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 558275860ef..29e4142e836 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -5028,6 +5028,17 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml='', $a
         return true;
     }
 
+    if (!validate_email($user->email)) {
+        // we can not send emails to invalid addresses - it might create security issue or confuse the mailer
+        $invalidemail = "User $user->id (".fullname($user).") email ($user->email) is invalid! Not sending.";
+        error_log($invalidemail);
+        if (CLI_SCRIPT) {
+            // do not print this in standard web pages
+            mtrace($invalidemail);
+        }
+        return false;
+    }
+
     if (over_bounce_threshold($user)) {
         $bouncemsg = "User $user->id (".fullname($user).") is over bounce threshold! Not sending.";
         error_log($bouncemsg);