From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/func.inc |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 4780056..28e6baa 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -929,7 +929,7 @@
       $value = $headers[$hkey];
     else if ($headers['others'][$hkey])
       $value = $headers['others'][$hkey];
-    else
+    else if (!$attrib['valueof'])
       continue;
 
     if (in_array($hkey, $exclude_headers))
@@ -1803,9 +1803,14 @@
     // Try Return-Path
     if ($from_idx === null && ($return_path = $MESSAGE->headers->others['return-path'])) {
         foreach ($identities as $idx => $ident) {
-            $ident = str_replace('@', '=', $ident['email_ascii']) . '@';
+            // Return-Path header contains an email address, but on some mailing list
+            // it can be e.g. <pear-dev-return-55250-local=domain.tld@lists.php.net>
+            // where local@domain.tld is the address we're looking for (#1489241)
+            $ident1 = $ident['email_ascii'];
+            $ident2 = str_replace('@', '=', $ident1);
+
             foreach ((array)$return_path as $path) {
-                if (strpos($path, $ident) !== false) {
+                if (stripos($path, $ident1) !== false || stripos($path, $ident2)) {
                     $from_idx = $idx;
                     break 2;
                 }

--
Gitblit v1.9.1