From db6ee9f75fb4b6f1d21526105ea0cf4292cda366 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 28 Nov 2022 16:57:06 +0100
Subject: [PATCH] Fix against SMTP injection

---
 htdocs/core/class/CMailFile.class.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php
index 5396c324c65..a7a87e1ce6e 100644
--- a/htdocs/core/class/CMailFile.class.php
+++ b/htdocs/core/class/CMailFile.class.php
@@ -329,10 +329,10 @@ class CMailFile
 		$this->addr_bcc = dol_sanitizeEmail($addr_bcc);
 		$this->deliveryreceipt = $deliveryreceipt;
 		if (empty($replyto)) {
-			$replyto = $from;
+			$replyto = dol_sanitizeEmail($from);
 		}
-		$this->reply_to = $replyto;
-		$this->errors_to = $errors_to;
+		$this->reply_to = dol_sanitizeEmail($replyto);
+		$this->errors_to = dol_sanitizeEmail($errors_to);
 		$this->trackid = $trackid;
 		// Set arrays with attached files info
 		$this->filename_list = $filename_list;