Bug #16808
closedsetHeaders in class.t3lib_htmlmail forget to quote the realname parts of the "From" and "reply-to" headers
0%
Description
the function setHeaders dont quote the realname parts of this mail addresses. Some times user input a comma in input fields of forms. if now autoreplay scripts pass the "from" adress back to a mailserver this miss interpret the mail address and split it to 2 recipients.
Bugfix for that is simple quote the realname parts like patches below:
line: 460:
$this->add_header('From: "'.$this->from_name.'" <'.$this->from_email.'>');
line: 468:
$this->add_header('Reply-To: "'.$this->replyto_name.'" <'.$this->replyto_email.'>');
(issue imported from #M4692)
Updated by Thorsten Kahler over 17 years ago
For mail forms this is fixed TYPO3 4.0.5 and 4.1RC2. Extensions using t3lib_htmlmail should always check the data submitted and e.g. quote names if necessary.
Although adding some built-in security to t3lib_htmlmail is still a point to discuss.
Updated by Andreas Otto † over 16 years ago
Also have a look at http://www.php.net/manual/en/function.mail.php section "notes" which tries to explain where the mail function implementation in PHP differs on Windows. Which is why your solution might break sending mails with TYPO3 on Windows.
Updated by Christian Kuhn over 15 years ago
Resolved, no change required:
Proper quoting needs to be done manually in code using this API, for core this is done.