dongwei4652 2016-12-27 21:55
浏览 37
已采纳

来自电子邮件地址的硬编码是否避免了昨天宣布的PHPMailer漏洞?

The announcement I am referring to was posted at: http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

I have used code like this in many websites:

$mail = new PHPMailer(true);
$mail->SetFrom('info@mysite.com', 'My Site');
$mail->AddReplyTo( $contact_email, "$contact_name" );
$mail->Subject = $subject;
$mail->AltBody = $mail_text;
$mail->MsgHTML($mail_html);
$result = $mail->Send();

Am I safe from the vulnerability because my from address is hard-coded? Should I worry about the reply-to address, which comes from user input? I do validate it with filter_var, but if I understand correctly, a from address can pass validation and still inject code because spaces are technically allowed in email addresses.

  • 写回答

1条回答 默认 最新

  • drctyr2869 2016-12-27 23:04
    关注

    Yes, you are safe.

    As Sammitch said, you should never use a user-supplied from address anyway because it will be forgery and you will fail SPF checks. This is mentioned in the PHPMailer docs and in many answers on SO.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 delta降尺度计算的一些细节,有偿
  • ¥15 Arduino红外遥控代码有问题
  • ¥15 数值计算离散正交多项式
  • ¥30 数值计算均差系数编程
  • ¥15 redis-full-check比较 两个集群的数据出错
  • ¥15 Matlab编程问题
  • ¥15 训练的多模态特征融合模型准确度很低怎么办
  • ¥15 kylin启动报错log4j类冲突
  • ¥15 超声波模块测距控制点灯,灯的闪烁很不稳定,经过调试发现测的距离偏大
  • ¥15 import arcpy出现importing _arcgisscripting 找不到相关程序