Fix vulnerability in handling of mail()'s 5th argument

8 years ago · f84233785d
parent 6fa88c9814
commit f84233785d
2 changed files with 2 additions and 1 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================

+- Fix vulnerability in handling of mail()'s 5th argument
 - Fix To: header encoding in mail sent with mail() method (#5475)
 - Fix flickering of header topline in min-mode (#5426)
 - Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447)
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@ -1689,7 +1689,7 @@ class rcube
                if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))
                    $sent = mail($to, $subject, $msg_body, $header_str);
                else
-                    $sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
+                    $sent = mail($to, $subject, $msg_body, $header_str, '-f ' . escapeshellarg($from));
            }
        }