Bug 386860: [SECURITY] Insufficient escaping of From address when using Sendmail...

diff --git a/Bugzilla/Mailer.pm b/Bugzilla/Mailer.pm
index b4b2f320d959374d3ca63c79d62938bfd5280337..03f370a4eb492a50b4afe80f5faa4986a2d5c76a 100644 (file)
--- a/Bugzilla/Mailer.pm
+++ b/Bugzilla/Mailer.pm
@@ -44,6 +44,7 @@ use Bugzilla::Util;
 use Date::Format qw(time2str);
 
 use Encode qw(encode);
+use Email::Address;
 use Email::MIME;
 # Loading this gives us encoding_set.
 use Email::MIME::Modifier;
@@ -80,7 +81,14 @@ sub MessageToMTA {
             $Email::Send::Sendmail::SENDMAIL = SENDMAIL_EXE;
         }
         push @args, "-i";
-        push(@args, "-f$from") if $from;
+        # We want to make sure that we pass *only* an email address.
+        if ($from) {
+            my ($email_obj) = Email::Address->parse($from);
+            if ($email_obj) {
+                my $from_email = $email_obj->address;
+                push(@args, "-f$from_email") if $from_email;
+            }
+        }
         push(@args, "-ODeliveryMode=deferred")
             if !Bugzilla->params->{"sendmailnow"};
     }