[Rt-commit] rt branch, 4.2/put-an-X-on-it, updated. rt-4.1.19-100-g7da4a51
Kevin Falcone
falcone at bestpractical.com
Wed Sep 4 17:35:16 EDT 2013
The branch, 4.2/put-an-X-on-it has been updated
via 7da4a51b3d725c68cb54498190a2cc4ac78a8fae (commit)
from 4f34a6f37a4f101729702a4fc9ca497b48284769 (commit)
Summary of changes:
t/security/CVE-2012-4730-email-header-injection.t | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
- Log -----------------------------------------------------------------
commit 7da4a51b3d725c68cb54498190a2cc4ac78a8fae
Author: Kevin Falcone <falcone at bestpractical.com>
Date: Wed Sep 4 17:34:18 2013 -0400
This security test checked for RT-Originator leaking
diff --git a/t/security/CVE-2012-4730-email-header-injection.t b/t/security/CVE-2012-4730-email-header-injection.t
index 893d111..2a5bb5a 100644
--- a/t/security/CVE-2012-4730-email-header-injection.t
+++ b/t/security/CVE-2012-4730-email-header-injection.t
@@ -16,7 +16,7 @@ use Email::Abstract;
# -------------------------------------------------
# Via recipient headers w/ RecordOutgoingEmail ON | No | No |
# Via recipient headers w/ RecordOutgoingEmail OFF | Yes | No |
-# Via RT-Originator | Yes | No |
+# Via RT-Originator (X-RT-Originator in 4.2) | Yes | No |
# Via other default headers | No | No |
# -------------------------------------------------
#
@@ -70,7 +70,7 @@ note "To: header (any recipient header)";
}
}
-note "RT-Originator header";
+note "X-RT-Originator (previously RT-Originator) header";
{
for my $originator (1, 0) {
RT->Config->Set( UseOriginatorHeader => $originator );
@@ -92,8 +92,8 @@ note "RT-Originator header";
my $entity = Email::Abstract->new($email[0])->cast('MIME::Entity');
my $head = $entity->head;
if ($originator) {
- like $head->get("RT-Originator"), qr/foo\@example\.com/, "RT-Originator contains email";
- like $head->get("RT-Originator"), qr/Evil: yes/, "Evil didn't leak out of RT-Originator";
+ like $head->get("X-RT-Originator"), qr/foo\@example\.com/, "X-RT-Originator contains email";
+ like $head->get("X-RT-Originator"), qr/Evil: yes/, "Evil didn't leak out of X-RT-Originator";
}
ok !$head->get("Evil"), "No Evil header";
unlike $entity->stringify_body, qr/Malicious/, "No Malicious body";
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list