moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-05 00:46:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-58121 email: ensure support user is defined in email_to_user

Browse source
This commit is contained in:
Jake Dallimore 2017-03-02 10:34:45 +08:00
parent 98c4094eac
commit 62b482938b
2 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
lib/moodlelib.php
View file

@ -5961,6 +5961,7 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml = '',
if ($attachment && $attachname) {
if (preg_match( "~\\.\\.~" , $attachment )) {
// Security check for ".." in dir path.
$supportuser = core_user::get_support_user();
$temprecipients[] = array($supportuser->email, fullname($supportuser, true));
$mail->addStringAttachment('Error in attachment. User attempted to attach a filename with a unsafe name.', 'error.txt', '8bit', 'text/plain');
} else {

13
lib/tests/moodlelib_test.php
View file

@ -2859,6 +2859,19 @@ class core_moodlelib_testcase extends advanced_testcase {
$this->assertNotEquals($CFG->noreplyaddress, $result[0]->from);
$this->assertEquals($CFG->noreplyaddress, $result[1]->from);
$sink->close();
// Try to send an unsafe attachment, we should see an error message in the eventual mail body.
$attachment = '../test.txt';
$attachname = 'txt';
$sink = $this->redirectEmails();
email_to_user($user1, $user2, $subject, $messagetext, '', $attachment, $attachname);
$this->assertSame(1, $sink->count());
$result = $sink->get_messages();
$this->assertCount(1, $result);
$this->assertContains('error.txt', $result[0]->body);
$this->assertContains('Error in attachment. User attempted to attach a filename with a unsafe name.', $result[0]->body);
$sink->close();
}
/**