From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/func.inc |   16 ++++++++++++----
 1 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 0845bf7..28e6baa 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -929,7 +929,7 @@
       $value = $headers[$hkey];
     else if ($headers['others'][$hkey])
       $value = $headers['others'][$hkey];
-    else
+    else if (!$attrib['valueof'])
       continue;
 
     if (in_array($hkey, $exclude_headers))
@@ -1803,9 +1803,17 @@
     // Try Return-Path
     if ($from_idx === null && ($return_path = $MESSAGE->headers->others['return-path'])) {
         foreach ($identities as $idx => $ident) {
-            if (strpos($return_path, str_replace('@', '=', $ident['email_ascii']).'@') !== false) {
-                $from_idx = $idx;
-                break;
+            // Return-Path header contains an email address, but on some mailing list
+            // it can be e.g. <pear-dev-return-55250-local=domain.tld@lists.php.net>
+            // where local@domain.tld is the address we're looking for (#1489241)
+            $ident1 = $ident['email_ascii'];
+            $ident2 = str_replace('@', '=', $ident1);
+
+            foreach ((array)$return_path as $path) {
+                if (stripos($path, $ident1) !== false || stripos($path, $ident2)) {
+                    $from_idx = $idx;
+                    break 2;
+                }
             }
         }
     }

--
Gitblit v1.9.1