Chapril/date.chapril.org-framadate
Chapril/date.chapril.org-framadate
24
1
Fork 0
Code Issues Pull Requests Releases Activity

mail injection bug

Browse Source
This commit is contained in:
Simon Leblanc 2011-05-15 01:47:36 +02:00
parent 2dd5ce6402
commit 4eb0a46238
2 changed files with 28 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
contacts.php
View File

@ -47,14 +47,15 @@ else
include_once('bandeaux.php');
// action du bouton annuler
if ($_POST["envoiquestion"]&&$_POST["nom"]!=""&&$_POST["question"]!=""){
if ((isset($_POST['envoiquestion']) || isset($_POST['envoiquestion_x'])) && isset($_POST['nom']) && !empty($_POST['nom']) && isset($_POST['question']) && !empty($_POST['question'])){
$message=str_replace("\\","",$_POST["question"]);
//envoi des mails
$headers="From: ".NOMAPPLICATION." <".ADRESSEMAILADMIN.">\r\nContent-Type: text/plain; charset=\"UTF-8\"\nContent-Transfer-Encoding: 8bit";
mail (ADRESSEMAILADMIN, "" . _("[CONTACT] You have sent a question ") . "".NOMAPPLICATION, "" . _("You have a question from a user ") . " ".NOMAPPLICATION."\n\n" . _("User") . " : ".$_POST["nom"]."\n\n" . _("User's email address") . " : $_POST[adresse_mail]\n\n" . _("Message") . " :".$message,$headers);
if ($_POST["adresse_mail"]!=""){
if (isset($_POST['adresse_mail']) && !empty($_POST['adresse_mail']) && validateEmail($_POST['adresse_mail'])){
$headers="From: ".NOMAPPLICATION." <".ADRESSEMAILADMIN.">\r\nContent-Type: text/plain; charset=\"UTF-8\"\nContent-Transfer-Encoding: 8bit";
mail ("$_POST[adresse_mail]", "" . _("[COPY] Someone has sent a question ") . "".NOMAPPLICATION, "" . _("Here is a copy of your question") . " :\n\n".$message." \n\n" . _("We're going to answer your question shortly.") . "\n\n" . _("Thanks for your confidence.") . "\n".NOMAPPLICATION,$headers);
}
@ -85,9 +86,14 @@ if ($_POST["envoiquestion"]&&$_POST["nom"]!=""&&$_POST["question"]!=""){
}
else {
$_SESSION["question"]=$_POST["question"];
$_SESSION["nom"]=$_POST["nom"];
$_SESSION["adresse_mail"]=$_POST["adresse_mail"];
$post_var = array('question', 'nom', 'adresse_mail', );
foreach ($post_var as $var) {
if (isset($_POST[$var]) && !empty($_POST[$var])) {
$_SESSION[$var] = $_POST[$var];
} else {
$_SESSION[$var] = null;
}
}
//affichage de la page
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">'."\n";
@ -115,7 +121,7 @@ else {
echo _("Your name") .' :<br>'."\n";
echo '<input type="text" size="40" maxlength="64" name="nom" value="'.$_SESSION["nom"].'">';
if ($_POST["envoiquestion"]&&$_SESSION["nom"]==""){
if ((isset($_POST['envoiquestion']) || isset($_POST['envoiquestion_x'])) && $_SESSION["nom"]==""){
echo ' <font color="#FF0000">'. _("Enter a name") .'</font>';
}
@ -129,7 +135,7 @@ else {
echo _("Question") .' :<br>'."\n";
echo '<textarea name="question" rows="7" cols="40">'.$_SESSION["question"].'</textarea>';
if ($_POST["envoiquestion"]&&$_SESSION["question"]==""){
if ((isset($_POST['envoiquestion']) || isset($_POST['envoiquestion_x'])) && $_SESSION["question"]==""){
echo ' <font color="#FF0000">&nbsp;Il faut poser une question !</font>';
}

15
fonctions.php
View File

@ -131,4 +131,19 @@ function check_table_sondage() {
return false;
}
/**
* Vérifie une adresse e-mail selon les normes RFC
* @param string $email l'adresse e-mail a vérifier
* @return bool vrai si l'adresse est correcte, faux sinon
* @see http://fightingforalostcause.net/misc/2006/compare-email-regex.php
* @see http://svn.php.net/viewvc/php/php-src/trunk/ext/filter/logical_filters.c?view=markup
*/
function validateEmail($email) {
$pattern = '/^(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){255,})(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){65,}@)(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22))(?:\\.(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD';
return (bool)preg_match($pattern, $email);
}
?>