Fixed bug #14114: Core mailform is open to spam abuse (thanks to Lars Houmark)
authorOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:15:36 +0000 (09:15 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:15:36 +0000 (09:15 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-2@8418 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_formmail.php
typo3/sysext/cms/tslib/class.tslib_content.php

index 68cdea9..a54ce1a 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,7 @@
        * Fixed bug #1985: XSS vulnerability in wizard classes
        * Fixed bug #14712: The GET/POST variable mimeType is used to create the http header content-type without verification (thanks to Rupert Germann)
        * Fixed bug #14412: Field value added to foreign_table_where by replacing ###REC_FIELD_THE_FIELD_NAME### is not quoted (thanks to Helmut Hummel and Xavier Perseguers)
+       * Fixed bug #14114: Core mailform is open to spam abuse (thanks to Lars Houmark)
 
 2010-07-21  Ingo Renner  <ingo@typo3.org>
 
index 9ca223e..360eda0 100644 (file)
@@ -67,7 +67,7 @@
  * @see tslib_fe::sendFormmail(), t3lib/formmail.php
  */
 class t3lib_formmail extends t3lib_htmlmail {
-       var $reserved_names = 'recipient,recipient_copy,auto_respond_msg,redirect,subject,attachment,from_email,from_name,replyto_email,replyto_name,organisation,priority,html_enabled,quoted_printable,submit_x,submit_y';
+       protected $reserved_names = 'recipient,recipient_copy,auto_respond_msg,auto_respond_checksum,redirect,subject,attachment,from_email,from_name,replyto_email,replyto_name,organisation,priority,html_enabled,quoted_printable,submit_x,submit_y';
        var $dirtyHeaders = array();    // collection of suspicious header data, used for logging
 
 
@@ -132,9 +132,20 @@ class t3lib_formmail extends t3lib_htmlmail {
                        $this->replyto_email = t3lib_div::validEmail($this->replyto_email) ? $this->replyto_email : '';
                        $this->priority = ($V['priority']) ? t3lib_div::intInRange($V['priority'],1,5) : 3;
 
-                               // Auto responder.
+                               // auto responder
                        $this->auto_respond_msg = (trim($V['auto_respond_msg']) && $this->from_email) ? trim($V['auto_respond_msg']) : '';
-                       $this->auto_respond_msg = $this->sanitizeHeaderString($this->auto_respond_msg);
+
+                       if ($this->auto_respond_msg !== '') {
+                                       // Check if the value of the auto responder message has been modified with evil intentions
+                               $autoRespondChecksum = $V['auto_respond_checksum'];
+                               $correctHmacChecksum = t3lib_div::hmac($this->auto_respond_msg);
+                               if ($autoRespondChecksum !== $correctHmacChecksum) {
+                                       t3lib_div::sysLog('Possible misuse of t3lib_formmail auto respond method. Subject: ' . $V['subject'], 'Core', 3);
+                                       return;
+                               } else {
+                                       $this->auto_respond_msg = $this->sanitizeHeaderString($this->auto_respond_msg);
+                               }
+                       }
 
                        $Plain_content = '';
                        $HTML_content = '<table border="0" cellpadding="2" cellspacing="2">';
index 8d09248..1a2b244 100755 (executable)
@@ -1919,6 +1919,15 @@ class tslib_cObj {
                                        break;
                                        case 'hidden':
                                                $value = trim($parts[2]);
+
+                                                       // If this form includes an auto responder message, include a HMAC checksum field
+                                                       // in order to verify potential abuse of this feature.
+                                               if (strlen($value) && t3lib_div::inList($confData['fieldname'], 'auto_respond_msg')) {
+                                                       $hmacChecksum = t3lib_div::hmac($value);
+                                                       $hiddenfields .= sprintf('<input type="hidden" name="auto_respond_checksum" id="%sauto_respond_checksum" value="%s" />',
+                                                                                               $prefix, $hmacChecksum);
+                                               }
+
                                                if (strlen($value) && t3lib_div::inList('recipient_copy,recipient',$confData['fieldname']) && $GLOBALS['TYPO3_CONF_VARS']['FE']['secureFormmail'])      {
                                                        break;
                                                }