From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/func.inc |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 16a9f49..28e6baa 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -1803,8 +1803,14 @@
     // Try Return-Path
     if ($from_idx === null && ($return_path = $MESSAGE->headers->others['return-path'])) {
         foreach ($identities as $idx => $ident) {
+            // Return-Path header contains an email address, but on some mailing list
+            // it can be e.g. <pear-dev-return-55250-local=domain.tld@lists.php.net>
+            // where local@domain.tld is the address we're looking for (#1489241)
+            $ident1 = $ident['email_ascii'];
+            $ident2 = str_replace('@', '=', $ident1);
+
             foreach ((array)$return_path as $path) {
-                if (stripos($path, $ident['email_ascii']) !== false) {
+                if (stripos($path, $ident1) !== false || stripos($path, $ident2)) {
                     $from_idx = $idx;
                     break 2;
                 }

--
Gitblit v1.9.1