[Koha-bugs] [Bug 25371] Koha::Email doesn't validate header data
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed May 6 01:40:31 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25371
--- Comment #5 from David Cook <dcook at prosentient.com.au> ---
(In reply to Jonathan Druart from comment #4)
> Why not splitting on ',' and ';' then validate each, just before sending the
> email?
It's a good question. I am uncertain if that would be robust enough.
Looking at Mail::Sendmail, you could also use a space as a separator. Although
I suppose if we only supported ',' and ';' as separators, that would mean our
data validation would flag a problem if a space were used as a separator, which
would be good.
I'm trying to think if you could craft a malicious string using the ',' and
';'. I suppose not since that would just generate more tokens, and since we're
validating each token... yeah that should be OK.
Mail::Sendmail::sendmail is run in C4/Letters.pm, Koha/Illrequest.pm,
opac/opac-password-recovery.pl, opac/opac-sendshelf.pl,
opac/opac-sendbasket.pl, and virtualshelves/sendshelf.pl
The tricky part is really the error-handling rather than the validation itself.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list