[Rt-commit] r6052 - in rt/branches/QUEBEC-EXPERIMENTAL:
lib/RT/Interface/Email/Auth
ruz at bestpractical.com
ruz at bestpractical.com
Tue Sep 26 20:16:00 EDT 2006
Author: ruz
Date: Tue Sep 26 20:15:58 2006
New Revision: 6052
Modified:
rt/branches/QUEBEC-EXPERIMENTAL/ (props changed)
rt/branches/QUEBEC-EXPERIMENTAL/lib/RT/Interface/Email/Auth/MailFrom.pm
Log:
r3759 at cubic-pc (orig r5943): jesse | 2006-09-15 23:31:25 +0400
r27507 at pinglin: jesse | 2006-09-15 20:30:47 +0100
[mail gateway] Todd Chapman discovered a case where RT's mail gateway would default to the RT::SystemUser if no valid from header were found. This could allow a malicious user to create tickets or reply to tickets, but not to gain access to data.
Modified: rt/branches/QUEBEC-EXPERIMENTAL/lib/RT/Interface/Email/Auth/MailFrom.pm
==============================================================================
--- rt/branches/QUEBEC-EXPERIMENTAL/lib/RT/Interface/Email/Auth/MailFrom.pm (original)
+++ rt/branches/QUEBEC-EXPERIMENTAL/lib/RT/Interface/Email/Auth/MailFrom.pm Tue Sep 26 20:15:58 2006
@@ -60,6 +60,11 @@
# We don't need to do any external lookups
my ( $Address, $Name ) = ParseSenderAddressFromHead( $args{'Message'}->head );
+
+ unless ($Address) {
+ return ( $args{'CurrentUser'}, -1 );
+ }
+
my $CurrentUser = RT::CurrentUser->new();
$CurrentUser->LoadByEmail($Address);
More information about the Rt-commit
mailing list