[Rt-commit] r5943 - in rt/branches/3.4-RELEASE: .

jesse at bestpractical.com jesse at bestpractical.com
Fri Sep 15 15:31:27 EDT 2006


Author: jesse
Date: Fri Sep 15 15:31:25 2006
New Revision: 5943

Modified:
   rt/branches/3.4-RELEASE/   (props changed)
   rt/branches/3.4-RELEASE/lib/RT/Interface/Email/Auth/MailFrom.pm

Log:
 r27507 at pinglin:  jesse | 2006-09-15 20:30:47 +0100
 [mail gateway] Todd Chapman discovered a case where RT's mail gateway would default to the RT::SystemUser if no valid from header were found. This could allow a malicious user to create tickets or reply to tickets, but not to gain access to data.
 
 


Modified: rt/branches/3.4-RELEASE/lib/RT/Interface/Email/Auth/MailFrom.pm
==============================================================================
--- rt/branches/3.4-RELEASE/lib/RT/Interface/Email/Auth/MailFrom.pm	(original)
+++ rt/branches/3.4-RELEASE/lib/RT/Interface/Email/Auth/MailFrom.pm	Fri Sep 15 15:31:25 2006
@@ -60,6 +60,11 @@
 
     # We don't need to do any external lookups
     my ( $Address, $Name ) = ParseSenderAddressFromHead( $args{'Message'}->head );
+
+    unless ($Address) {
+        return ( $args{'CurrentUser'}, -1 );
+    }
+
     my $CurrentUser = RT::CurrentUser->new();
     $CurrentUser->LoadByEmail($Address);
 


More information about the Rt-commit mailing list