LPS-39307 Sanitize CRLF in email headers

xieh · Feb 27, 2015 · 506116a · 506116a
1 parent fd6bbae
commit 506116a
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/util-java/src/com/liferay/util/mail/MailEngine.java b/util-java/src/com/liferay/util/mail/MailEngine.java
@@ -30,6 +30,8 @@
 import com.liferay.portal.kernel.util.ListUtil;
 import com.liferay.portal.kernel.util.PropsKeys;
 import com.liferay.portal.kernel.util.PropsUtil;
+import com.liferay.portal.kernel.util.StringPool;
+import com.liferay.portal.kernel.util.StringUtil;
 import com.liferay.portal.kernel.util.Validator;
 
 import java.io.File;
@@ -261,7 +263,7 @@ public static void send(
 
 			subject = GetterUtil.getString(subject);
 
-			message.setSubject(subject);
+			message.setSubject(_sanitizeCRLF(subject));
 
 			if (ListUtil.isNotEmpty(fileAttachments)) {
 				MimeMultipart rootMultipart = new MimeMultipart(
@@ -337,12 +339,12 @@ public static void send(
 			}
 
 			if (messageId != null) {
-				message.setHeader("Message-ID", messageId);
+				message.setHeader("Message-ID", _sanitizeCRLF(messageId));
 			}
 
 			if (inReplyTo != null) {
-				message.setHeader("In-Reply-To", inReplyTo);
-				message.setHeader("References", inReplyTo);
+				message.setHeader("In-Reply-To", _sanitizeCRLF(inReplyTo));
+				message.setHeader("References", _sanitizeCRLF(inReplyTo));
 			}
 
 			int batchSize = GetterUtil.getInteger(
@@ -519,6 +521,12 @@ private static boolean _isThrowsExceptionOnFailure() {
 			PropsUtil.get(PropsKeys.MAIL_THROWS_EXCEPTION_ON_FAILURE));
 	}
 
+	private static String _sanitizeCRLF(String text) {
+		return StringUtil.replace(
+			text, new String[] {StringPool.NEW_LINE, StringPool.RETURN},
+			new String[]{StringPool.SPACE, StringPool.SPACE});
+	}
+
 	private static void _send(
 			Session session, Message message, InternetAddress[] bulkAddresses,
 			int batchSize)