From ff7542bfb9648a8970bd6ff767bb62a647f705ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 12 Mar 2013 03:43:21 -0400
Subject: [PATCH] Don't show fake address - phishing prevention (#1488981)

---
 CHANGELOG                   |    1 +
 program/steps/mail/func.inc |    5 +++++
 2 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 8553162..499d5ba 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Don't show fake address - phishing prevention (#1488981)
 - Fix forward as attachment bug with editormode != 1 (#1488991)
 - Fix LIMIT/OFFSET queries handling on MS SQL Server (#1488984)
 - Fix so task name can really contain all from a-z0-9_- characters (#1488941)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 4a34763..137e87d 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -1444,6 +1444,11 @@
     $mailto = $part['mailto'];
     $string = $part['string'];
 
+    // phishing email prevention (#1488981), e.g. "valid@email.addr <phishing@email.addr>"
+    if ($name && $name != $mailto && strpos($name, '@')) {
+      $name = '';
+    }
+
     // IDNA ASCII to Unicode
     if ($name == $mailto)
       $name = rcube_idn_to_utf8($name);

--
Gitblit v1.9.1