diff options
| author | Ben Fuhrmannek | 2015-02-06 22:43:16 +0100 |
|---|---|---|
| committer | Ben Fuhrmannek | 2015-02-06 22:43:16 +0100 |
| commit | b8d1b6ccb5d67874d8637a273f73fd9ae1138f16 (patch) | |
| tree | 773d015dccfb4236b44121fc73fae81f23b926be | |
| parent | 3741554097cc73f03a9a6a4fa4d65dc01c120bd8 (diff) | |
fixed newline detection for suhosin.mail.protect
| -rw-r--r-- | Changelog | 1 | ||||
| -rw-r--r-- | execute.c | 25 |
2 files changed, 15 insertions, 11 deletions
| @@ -1,6 +1,7 @@ | |||
| 1 | 2015-xx-xx - 0.9.38-dev | 1 | 2015-xx-xx - 0.9.38-dev |
| 2 | - removed code compatibility for PHP <5.4 (lots of code + ifdefs) | 2 | - removed code compatibility for PHP <5.4 (lots of code + ifdefs) |
| 3 | - allow https location for suhosin.filter.action | 3 | - allow https location for suhosin.filter.action |
| 4 | - fixed newline detection for suhosin.mail.protect | ||
| 4 | 5 | ||
| 5 | 2014-12-12 - 0.9.37.1 | 6 | 2014-12-12 - 0.9.37.1 |
| 6 | - Changed version string to 0.9.37.1 (without -dev) | 7 | - Changed version string to 0.9.37.1 (without -dev) |
| @@ -751,7 +751,10 @@ int ih_mail(IH_HANDLER_PARAMS) | |||
| 751 | return (1); | 751 | return (1); |
| 752 | } | 752 | } |
| 753 | 753 | ||
| 754 | if (headers_len > 0 && headers && (strstr(headers,"\n\n") || strstr(headers,"\r\n\r\n")) ) { | 754 | if (headers_len > 0 && headers && |
| 755 | (strstr(headers, "\n\n") || strstr(headers, "\n\r\n") /* double newline */ | ||
| 756 | || *headers == '\n' || (headers[0] == '\r' && headers[1] == '\n') /* starts with newline */ | ||
| 757 | )) { | ||
| 755 | suhosin_log(S_MAIL, "mail() - double newline in headers, possible injection, mail dropped"); | 758 | suhosin_log(S_MAIL, "mail() - double newline in headers, possible injection, mail dropped"); |
| 756 | if (!SUHOSIN_G(simulation)) { | 759 | if (!SUHOSIN_G(simulation)) { |
| 757 | RETVAL_FALSE; | 760 | RETVAL_FALSE; |
| @@ -762,14 +765,14 @@ int ih_mail(IH_HANDLER_PARAMS) | |||
| 762 | /* check for spam attempts with buggy webforms */ | 765 | /* check for spam attempts with buggy webforms */ |
| 763 | if (to_len > 0 && to) { | 766 | if (to_len > 0 && to) { |
| 764 | do { | 767 | do { |
| 765 | tmp = strchr(to, '\n'); | 768 | if ((tmp = strchr(to, '\n')) == NULL) |
| 766 | tmp = tmp == NULL ? strchr(to, '\r') : tmp; | 769 | tmp = strchr(to, '\r'); |
| 767 | if (tmp == NULL) break; | 770 | if (tmp == NULL) break; |
| 768 | to = tmp+1; | 771 | to = tmp + 1; |
| 769 | if (isspace(*to)) continue; | 772 | if (!isspace(*to)) break; |
| 770 | } while (1); | 773 | } while (1); |
| 771 | if (tmp != NULL) { | 774 | if (tmp != NULL) { |
| 772 | suhosin_log(S_MAIL, "mail() - newline in to header, possible injection, mail dropped"); | 775 | suhosin_log(S_MAIL, "mail() - newline in To header, possible injection, mail dropped"); |
| 773 | if (!SUHOSIN_G(simulation)) { | 776 | if (!SUHOSIN_G(simulation)) { |
| 774 | RETVAL_FALSE; | 777 | RETVAL_FALSE; |
| 775 | return (1); | 778 | return (1); |
| @@ -779,14 +782,14 @@ int ih_mail(IH_HANDLER_PARAMS) | |||
| 779 | 782 | ||
| 780 | if (subject_len > 0 && subject) { | 783 | if (subject_len > 0 && subject) { |
| 781 | do { | 784 | do { |
| 782 | tmp = strchr(subject, '\n'); | 785 | if ((tmp = strchr(subject, '\n')) == NULL) |
| 783 | tmp = tmp == NULL ? strchr(subject, '\r') : tmp; | 786 | tmp = strchr(subject, '\r'); |
| 784 | if (tmp == NULL) break; | 787 | if (tmp == NULL) break; |
| 785 | subject = tmp+1; | 788 | subject = tmp + 1; |
| 786 | if (isspace(*subject)) continue; | 789 | if (!isspace(*subject)) break; |
| 787 | } while (1); | 790 | } while (1); |
| 788 | if (tmp != NULL) { | 791 | if (tmp != NULL) { |
| 789 | suhosin_log(S_MAIL, "mail() - newline in subject header, possible injection, mail dropped"); | 792 | suhosin_log(S_MAIL, "mail() - newline in Subject header, possible injection, mail dropped"); |
| 790 | if (!SUHOSIN_G(simulation)) { | 793 | if (!SUHOSIN_G(simulation)) { |
| 791 | RETVAL_FALSE; | 794 | RETVAL_FALSE; |
| 792 | return (1); | 795 | return (1); |