Escape return path extra params to php mail()

PHP only escapes some dangerous shell characters. This is a hardening
measure, as MW's sanitizeEmail routines should also have prevented
evil characters from being in mail addresses in the first place.

Bug: T152717
Change-Id: I3736d612ed40d257ee3dde8e98eb30ccf432670a

1 files changed, 8 insertions, 1 deletions

diff --git a/includes/mail/UserMailer.php b/includes/mail/UserMailer.php
index c8e9999a3665..21effa0e02d7 100644
--- a/includes/mail/UserMailer.php
+++ b/includes/mail/UserMailer.php
@@ -268,7 +268,14 @@ class UserMailer {
 		// Add the envelope sender address using the -f command line option when PHP mail() is used.
 		// Will default to the $from->address when the UserMailerChangeReturnPath hook fails and the
 		// generated VERP address when the hook runs effectively.
-		$extraParams .= ' -f ' . $returnPath;
+
+		// PHP runs this through escapeshellcmd(). However that's not sufficient
+		// escaping (e.g. due to spaces). MediaWiki's email sanitizer should generally
+		// be good enough, but just in case, put in double quotes, and remove any
+		// double quotes present (" is not allowed in emails, so should have no
+		// effect, although this might cause apostrophees to be double escaped)
+		$returnPathCLI = '"' . str_replace( '"', '', $returnPath ) . '"';
+		$extraParams .= ' -f ' . $returnPathCLI;
 
 		$headers['Return-Path'] = $returnPath;