From 2a9311b2d8393071d5b17b6eb32650b0b90451e0 Mon Sep 17 00:00:00 2001 From: John Botella Date: Wed, 1 Jul 2020 16:55:23 +0200 Subject: [PATCH 1/4] Fix email spoofing - with hidden conf --- htdocs/core/class/CMailFile.class.php | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php index 853f2f98b05..e31053d1bf7 100644 --- a/htdocs/core/class/CMailFile.class.php +++ b/htdocs/core/class/CMailFile.class.php @@ -396,7 +396,23 @@ class CMailFile //$this->message->setFrom(array('john@doe.com' => 'John Doe')); if (! empty($from)) { try { - $result = $this->message->setFrom($this->getArrayAddress($from)); + + // Prevent email spoofing for smtp server with a strict configuration + $regexp = '/([a-z0-9_\.\-\+])+\@(([a-z0-9\-])+\.)+([a-z0-9]{2,4})+/i'; // This regular expression extracts all emails from a string + $emailMatchs = preg_match_all($regexp, $from, $adressEmailFrom); + $adressEmailFrom = reset($adressEmailFrom); + if($emailMatchs !== false + && $conf->global->MAIN_FORCE_DISABLE_MAIL_SPOOFING + && filter_var($conf->global->MAIN_MAIL_SMTPS_ID, FILTER_VALIDATE_EMAIL) + && $conf->global->MAIN_MAIL_SMTPS_ID !== $adressEmailFrom) + { + $result = $this->message->setFrom($conf->global->MAIN_MAIL_SMTPS_ID); + } + else + { + $result = $this->message->setFrom($this->getArrayAddress($from)); + } + } catch (Exception $e) { $this->errors[] = $e->getMessage(); } From cb7b66d52c1f2afa18229dca6ad3957c62631f42 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Mon, 6 Jul 2020 09:19:27 +0000 Subject: [PATCH 2/4] Fixing style errors. --- htdocs/core/class/CMailFile.class.php | 1 - 1 file changed, 1 deletion(-) diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php index e31053d1bf7..18c923ff944 100644 --- a/htdocs/core/class/CMailFile.class.php +++ b/htdocs/core/class/CMailFile.class.php @@ -412,7 +412,6 @@ class CMailFile { $result = $this->message->setFrom($this->getArrayAddress($from)); } - } catch (Exception $e) { $this->errors[] = $e->getMessage(); } From 2f04b4c5597c90e9cba0ce96e0c95b5b42f036e3 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 6 Jul 2020 12:00:14 +0200 Subject: [PATCH 3/4] Update CMailFile.class.php --- htdocs/core/class/CMailFile.class.php | 30 ++++++++++++++------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php index 18c923ff944..8f751c8ada2 100644 --- a/htdocs/core/class/CMailFile.class.php +++ b/htdocs/core/class/CMailFile.class.php @@ -396,20 +396,22 @@ class CMailFile //$this->message->setFrom(array('john@doe.com' => 'John Doe')); if (! empty($from)) { try { - - // Prevent email spoofing for smtp server with a strict configuration - $regexp = '/([a-z0-9_\.\-\+])+\@(([a-z0-9\-])+\.)+([a-z0-9]{2,4})+/i'; // This regular expression extracts all emails from a string - $emailMatchs = preg_match_all($regexp, $from, $adressEmailFrom); - $adressEmailFrom = reset($adressEmailFrom); - if($emailMatchs !== false - && $conf->global->MAIN_FORCE_DISABLE_MAIL_SPOOFING - && filter_var($conf->global->MAIN_MAIL_SMTPS_ID, FILTER_VALIDATE_EMAIL) - && $conf->global->MAIN_MAIL_SMTPS_ID !== $adressEmailFrom) - { - $result = $this->message->setFrom($conf->global->MAIN_MAIL_SMTPS_ID); - } - else - { + if (! empty($conf->global->MAIN_FORCE_DISABLE_MAIL_SPOOFING)) { + // Prevent email spoofing for smtp server with a strict configuration + $regexp = '/([a-z0-9_\.\-\+])+\@(([a-z0-9\-])+\.)+([a-z0-9]{2,4})+/i'; // This regular expression extracts all emails from a string + $emailMatchs = preg_match_all($regexp, $from, $adressEmailFrom); + $adressEmailFrom = reset($adressEmailFrom); + if($emailMatchs !== false + && filter_var($conf->global->MAIN_MAIL_SMTPS_ID, FILTER_VALIDATE_EMAIL) + && $conf->global->MAIN_MAIL_SMTPS_ID !== $adressEmailFrom) + { + $result = $this->message->setFrom($conf->global->MAIN_MAIL_SMTPS_ID); + } + else + { + $result = $this->message->setFrom($this->getArrayAddress($from)); + } + } else { $result = $this->message->setFrom($this->getArrayAddress($from)); } } catch (Exception $e) { From 42917000a310d4b1a308f6f73407c1fb27528769 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 6 Jul 2020 12:01:00 +0200 Subject: [PATCH 4/4] Update CMailFile.class.php --- htdocs/core/class/CMailFile.class.php | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php index 8f751c8ada2..bc9ed16a18c 100644 --- a/htdocs/core/class/CMailFile.class.php +++ b/htdocs/core/class/CMailFile.class.php @@ -401,14 +401,10 @@ class CMailFile $regexp = '/([a-z0-9_\.\-\+])+\@(([a-z0-9\-])+\.)+([a-z0-9]{2,4})+/i'; // This regular expression extracts all emails from a string $emailMatchs = preg_match_all($regexp, $from, $adressEmailFrom); $adressEmailFrom = reset($adressEmailFrom); - if($emailMatchs !== false - && filter_var($conf->global->MAIN_MAIL_SMTPS_ID, FILTER_VALIDATE_EMAIL) - && $conf->global->MAIN_MAIL_SMTPS_ID !== $adressEmailFrom) + if ($emailMatchs !== false && filter_var($conf->global->MAIN_MAIL_SMTPS_ID, FILTER_VALIDATE_EMAIL) && $conf->global->MAIN_MAIL_SMTPS_ID !== $adressEmailFrom) { $result = $this->message->setFrom($conf->global->MAIN_MAIL_SMTPS_ID); - } - else - { + } else { $result = $this->message->setFrom($this->getArrayAddress($from)); } } else {