[Rt-commit] r5943 - in rt/branches/3.4-RELEASE: .
jesse at bestpractical.com
jesse at bestpractical.com
Fri Sep 15 15:31:27 EDT 2006
Author: jesse
Date: Fri Sep 15 15:31:25 2006
New Revision: 5943
Modified:
rt/branches/3.4-RELEASE/ (props changed)
rt/branches/3.4-RELEASE/lib/RT/Interface/Email/Auth/MailFrom.pm
Log:
r27507 at pinglin: jesse | 2006-09-15 20:30:47 +0100
[mail gateway] Todd Chapman discovered a case where RT's mail gateway would default to the RT::SystemUser if no valid from header were found. This could allow a malicious user to create tickets or reply to tickets, but not to gain access to data.
Modified: rt/branches/3.4-RELEASE/lib/RT/Interface/Email/Auth/MailFrom.pm
==============================================================================
--- rt/branches/3.4-RELEASE/lib/RT/Interface/Email/Auth/MailFrom.pm (original)
+++ rt/branches/3.4-RELEASE/lib/RT/Interface/Email/Auth/MailFrom.pm Fri Sep 15 15:31:25 2006
@@ -60,6 +60,11 @@
# We don't need to do any external lookups
my ( $Address, $Name ) = ParseSenderAddressFromHead( $args{'Message'}->head );
+
+ unless ($Address) {
+ return ( $args{'CurrentUser'}, -1 );
+ }
+
my $CurrentUser = RT::CurrentUser->new();
$CurrentUser->LoadByEmail($Address);
More information about the Rt-commit
mailing list