summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Changelog1
-rw-r--r--execute.c25
2 files changed, 15 insertions, 11 deletions
diff --git a/Changelog b/Changelog
index 98472a1..a6b7e3a 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,7 @@
12015-xx-xx - 0.9.38-dev 12015-xx-xx - 0.9.38-dev
2 - removed code compatibility for PHP <5.4 (lots of code + ifdefs) 2 - removed code compatibility for PHP <5.4 (lots of code + ifdefs)
3 - allow https location for suhosin.filter.action 3 - allow https location for suhosin.filter.action
4 - fixed newline detection for suhosin.mail.protect
4 5
52014-12-12 - 0.9.37.1 62014-12-12 - 0.9.37.1
6 - Changed version string to 0.9.37.1 (without -dev) 7 - Changed version string to 0.9.37.1 (without -dev)
diff --git a/execute.c b/execute.c
index bc7dc59..d2fdaba 100644
--- a/execute.c
+++ b/execute.c
@@ -751,7 +751,10 @@ int ih_mail(IH_HANDLER_PARAMS)
751 return (1); 751 return (1);
752 } 752 }
753 753
754 if (headers_len > 0 && headers && (strstr(headers,"\n\n") || strstr(headers,"\r\n\r\n")) ) { 754 if (headers_len > 0 && headers &&
755 (strstr(headers, "\n\n") || strstr(headers, "\n\r\n") /* double newline */
756 || *headers == '\n' || (headers[0] == '\r' && headers[1] == '\n') /* starts with newline */
757 )) {
755 suhosin_log(S_MAIL, "mail() - double newline in headers, possible injection, mail dropped"); 758 suhosin_log(S_MAIL, "mail() - double newline in headers, possible injection, mail dropped");
756 if (!SUHOSIN_G(simulation)) { 759 if (!SUHOSIN_G(simulation)) {
757 RETVAL_FALSE; 760 RETVAL_FALSE;
@@ -762,14 +765,14 @@ int ih_mail(IH_HANDLER_PARAMS)
762 /* check for spam attempts with buggy webforms */ 765 /* check for spam attempts with buggy webforms */
763 if (to_len > 0 && to) { 766 if (to_len > 0 && to) {
764 do { 767 do {
765 tmp = strchr(to, '\n'); 768 if ((tmp = strchr(to, '\n')) == NULL)
766 tmp = tmp == NULL ? strchr(to, '\r') : tmp; 769 tmp = strchr(to, '\r');
767 if (tmp == NULL) break; 770 if (tmp == NULL) break;
768 to = tmp+1; 771 to = tmp + 1;
769 if (isspace(*to)) continue; 772 if (!isspace(*to)) break;
770 } while (1); 773 } while (1);
771 if (tmp != NULL) { 774 if (tmp != NULL) {
772 suhosin_log(S_MAIL, "mail() - newline in to header, possible injection, mail dropped"); 775 suhosin_log(S_MAIL, "mail() - newline in To header, possible injection, mail dropped");
773 if (!SUHOSIN_G(simulation)) { 776 if (!SUHOSIN_G(simulation)) {
774 RETVAL_FALSE; 777 RETVAL_FALSE;
775 return (1); 778 return (1);
@@ -779,14 +782,14 @@ int ih_mail(IH_HANDLER_PARAMS)
779 782
780 if (subject_len > 0 && subject) { 783 if (subject_len > 0 && subject) {
781 do { 784 do {
782 tmp = strchr(subject, '\n'); 785 if ((tmp = strchr(subject, '\n')) == NULL)
783 tmp = tmp == NULL ? strchr(subject, '\r') : tmp; 786 tmp = strchr(subject, '\r');
784 if (tmp == NULL) break; 787 if (tmp == NULL) break;
785 subject = tmp+1; 788 subject = tmp + 1;
786 if (isspace(*subject)) continue; 789 if (!isspace(*subject)) break;
787 } while (1); 790 } while (1);
788 if (tmp != NULL) { 791 if (tmp != NULL) {
789 suhosin_log(S_MAIL, "mail() - newline in subject header, possible injection, mail dropped"); 792 suhosin_log(S_MAIL, "mail() - newline in Subject header, possible injection, mail dropped");
790 if (!SUHOSIN_G(simulation)) { 793 if (!SUHOSIN_G(simulation)) {
791 RETVAL_FALSE; 794 RETVAL_FALSE;
792 return (1); 795 return (1);