SendmailRunner #117
SendmailRunner #117
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new SendmailRunner class that provides a secure wrapper for executing sendmail commands with strict validation and safety measures.
- Implements path validation against a configurable allowlist of known sendmail binary locations
- Provides secure command execution using
proc_openwith shell bypass to prevent injection attacks - Includes RFC 5322 compliant message formatting with CRLF normalization
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| * | ||
| * @category Xmf\Mail | ||
| * @package Xmf | ||
| * @author XOOPS Development Team < |
There was a problem hiding this comment.
The author email address is incomplete. It should include the full email address after the '<' character.
| * @author XOOPS Development Team < | |
| * @author XOOPS Development Team <dev@xoops.org> |
| if (!is_resource($pipes[0]) || feof($pipes[0])) { | ||
| throw new \RuntimeException('sendmail closed the input pipe prematurely.'); | ||
| } | ||
| usleep(10000); |
There was a problem hiding this comment.
The magic number 10000 (microseconds) should be defined as a named constant to improve code readability and maintainability.
| $addr = $m[1]; | ||
| } | ||
| // Forbid any whitespace/control to prevent header/arg injection. | ||
| if (preg_match('/\s/', $addr) || preg_match('/[\r\n]/', $addr)) { |
There was a problem hiding this comment.
These two separate regex operations can be combined into a single pattern for better performance: if (preg_match('/[\s\r\n]/', $addr)) {
| if (preg_match('/\s/', $addr) || preg_match('/[\r\n]/', $addr)) { | |
| if (preg_match('/\s/', $addr)) { |
1 participant
No description provided.