Commit d3410597 authored by o's avatar o
Browse files

allow setting envelope from in mail()

PHPMailer sets the envelope from via additional_params. Lets whitelist
a parameter that consists solely of `-femail@domain.com`.

This is using a slightly restricted subset of characters that are valid
 in emails. But doing something more precise there seems like overkill.
parent 29051144
......@@ -6,7 +6,7 @@ class php::snuffleupagus::global(
# based on https://snuffleupagus.readthedocs.io/config.html#miscellaneous-examples
$rules = {
'010-mail-add-params' => '# Prevent various `mail`-related vulnerabilities
sp.disable_function.function("mail").param("additional_parameters").value_r("\\\\-").drop();',
sp.disable_function.function("mail").param("additional_parameters").value_r("(?!^\\\\-f[a-zA-Z@.-_+]+$)\\\\-").drop();',
'020-putenv' => '# Since it\'s now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("setting").value_r("LD_").drop();',
'030-includes' => '##Prevent various `include`-related vulnerabilities
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment