dongwei4652 2016-12-27 21:55
浏览 37
已采纳

来自电子邮件地址的硬编码是否避免了昨天宣布的PHPMailer漏洞?

The announcement I am referring to was posted at: http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

I have used code like this in many websites:

$mail = new PHPMailer(true);
$mail->SetFrom('info@mysite.com', 'My Site');
$mail->AddReplyTo( $contact_email, "$contact_name" );
$mail->Subject = $subject;
$mail->AltBody = $mail_text;
$mail->MsgHTML($mail_html);
$result = $mail->Send();

Am I safe from the vulnerability because my from address is hard-coded? Should I worry about the reply-to address, which comes from user input? I do validate it with filter_var, but if I understand correctly, a from address can pass validation and still inject code because spaces are technically allowed in email addresses.

  • 写回答

1条回答 默认 最新

  • drctyr2869 2016-12-27 23:04
    关注

    Yes, you are safe.

    As Sammitch said, you should never use a user-supplied from address anyway because it will be forgery and you will fail SPF checks. This is mentioned in the PHPMailer docs and in many answers on SO.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog