summaryrefslogtreecommitdiff
path: root/extlib/Mail/sendmail.php
diff options
context:
space:
mode:
authorBrion Vibber <brion@pobox.com>2010-05-03 16:49:59 -0700
committerBrion Vibber <brion@pobox.com>2010-05-03 16:49:59 -0700
commit081ee9b29c7e4b207633aec0219b5a5b1ef36800 (patch)
treee7d611a97d5d15a089e36bb3c598359ead4d85b2 /extlib/Mail/sendmail.php
parent34644441a90ef6369733b08644aa6a25492a4d61 (diff)
extlibs updates: PEAR::Mail to 1.2.0, PEAR::Net_SMTP to 1.4.2 (need to go together as a pair)
PEAR::Mail updated to 1.2.0 from 1.1.4, fixes deprecation warnings on PHP 5.3, as well as: 1.2.0: • QA release - stable. • Updated minimum dependencies (Net_SMTP, PEAR, PHP) • Doc Bug #15620 Licence change to BSD • Bug #13659 Mail parse error in special condition • Bug #16200 - Security hole allow to read/write Arbitrary File _hasUnclosedQuotes() doesn't properly handle a double slash before an end quote (slusarz@curecanti.org, Bug #9137). • Make sure Net_SMTP is defined when calling getSMTPObject() directly (slusarz@curecanti.org, Bug #13772). • Add addServiceExtensionParameter() to the SMTP driver (slusarz@curecanti.org, Bug #13764). • Add a method to obtain the Net_SMTP object from the SMTP driver (slusarz@curecanti.org, Bug #13766). PEAR::Net_SMTP updated to 1.4.2 from 1.3.1, needed to support updated PEAR::Mail: 1.4.2: • Fixing header string quoting in data(). (Bug #17199) 1.4.1: • The auth() method now includes an optional $tls parameter that determines whether or not TLS should be attempted (if supported by the PHP runtime and the remote SMTP server). This parameter defaults to true. (Bug #16349) • Header data can be specified separately from message body data by passing it as the optional second parameter to ``data()``. This is especially useful when an open file resource is being used to supply message data because it allows header fields (like *Subject:*) to be built dynamically at runtime. (Request #17012) 1.4.0: • The data() method now accepts either a string or a file resource containing the message data. (Request #16962) 1.3.4: • All Net_Socket write failures are now recognized. (Bug #16831) 1.3.3: • Added getGreeting(), for retrieving the server's greeting string. (Request #16066) [needed for PEAR::Mail] • We no longer attempt a TLS connection if we're already using a secure socket. (Bug #16254) • You can now specify a debug output handler via setDebug(). (Request #16420) 1.3.2: • TLS connection only gets started if no AUTH methods are sent. (Bug #14944)
Diffstat (limited to 'extlib/Mail/sendmail.php')
-rwxr-xr-x[-rw-r--r--]extlib/Mail/sendmail.php7
1 files changed, 4 insertions, 3 deletions
diff --git a/extlib/Mail/sendmail.php b/extlib/Mail/sendmail.php
index cd248e61d..b056575e9 100644..100755
--- a/extlib/Mail/sendmail.php
+++ b/extlib/Mail/sendmail.php
@@ -20,7 +20,7 @@
* Sendmail implementation of the PEAR Mail:: interface.
* @access public
* @package Mail
- * @version $Revision: 1.19 $
+ * @version $Revision: 294744 $
*/
class Mail_sendmail extends Mail {
@@ -117,7 +117,7 @@ class Mail_sendmail extends Mail {
if (is_a($recipients, 'PEAR_Error')) {
return $recipients;
}
- $recipients = escapeShellCmd(implode(' ', $recipients));
+ $recipients = implode(' ', array_map('escapeshellarg', $recipients));
$headerElements = $this->prepareHeaders($headers);
if (is_a($headerElements, 'PEAR_Error')) {
@@ -141,7 +141,8 @@ class Mail_sendmail extends Mail {
return PEAR::raiseError('From address specified with dangerous characters.');
}
- $from = escapeShellCmd($from);
+ $from = escapeshellarg($from); // Security bug #16200
+
$mail = @popen($this->sendmail_path . (!empty($this->sendmail_args) ? ' ' . $this->sendmail_args : '') . " -f$from -- $recipients", 'w');
if (!$mail) {
return PEAR::raiseError('Failed to open sendmail [' . $this->sendmail_path . '] for execution.');