[Bug 25371] New: Koha::Email doesn't validate header data
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25371 Bug ID: 25371 Summary: Koha::Email doesn't validate header data Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org Koha::Email should validate the data being used for the email headers. Mail::Sendmail doesn't do proper validation itself, so we need to do it at a higher level. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25371 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- I have a bunch of examples for this, but the simplest one is opac-sendbasket.pl. You can put anything you want in "Email address" and it will try to email it. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25371 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- At first, I thought this would be easy, as we could just use Email::Valid->address() in Koha::Email, but it seems that we sometimes pass in 1 email address and sometimes we pass in multiple (with a range of separators). Koha/Illrequest.pm seems multiple emails with separator ";" (by replacing null bytes?) basket/sendbasket.pl uses 1 email address (in theory) C4/Letters.pm has a range of 1 or 1+ emails, and separates with a comma. misc/cronjobs/runreport.pl looks like 1 email address opac/opac-sendbasket.pl uses 1 email address (in theory) opac/opac-sendshelf.pl uses 1 email address (in theory) virtualshelves/sendshelf.pl -- Off the top of my head, the way to do it would be to add a setter called "add_to_address()" to Koha::Email, and add them one by one (and validate them one by one). But it's used across quite a few scripts, so that will be a pain to test. I suppose it would be a pain in any case. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25371 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- This will probably take a looooong time to fix. So I might look at damage control... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25371 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #4 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Why not splitting on ',' and ';' then validate each, just before sending the email? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25371 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to Jonathan Druart from comment #4)
Why not splitting on ',' and ';' then validate each, just before sending the email?
It's a good question. I am uncertain if that would be robust enough. Looking at Mail::Sendmail, you could also use a space as a separator. Although I suppose if we only supported ',' and ';' as separators, that would mean our data validation would flag a problem if a space were used as a separator, which would be good. I'm trying to think if you could craft a malicious string using the ',' and ';'. I suppose not since that would just generate more tokens, and since we're validating each token... yeah that should be OK. Mail::Sendmail::sendmail is run in C4/Letters.pm, Koha/Illrequest.pm, opac/opac-password-recovery.pl, opac/opac-sendshelf.pl, opac/opac-sendbasket.pl, and virtualshelves/sendshelf.pl The tricky part is really the error-handling rather than the validation itself. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25371 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Since both Koha::Email and Mail::Sendmail are used across many files, doing an update seems to come with many risks. For now, I might do more localized validation on the highest risk pages (ie OPAC pages). -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25371 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=25382 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25371 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org