Issue #3351129 by AdamPS: Safeguard transport DSN

73093c1d · Adam Shepherd · Adam Shepherd · a3c4e0a6 · 73093c1d · 73093c1d
Commit 73093c1d authored 2 years ago by Adam Shepherd Committed by Adam Shepherd 2 years ago
--- a/src/Plugin/MailerTransport/DsnTransport.php
+++ b/src/Plugin/MailerTransport/DsnTransport.php
@@ -57,7 +57,7 @@ class DsnTransport extends TransportBase {
      Transport::fromDsn($dsn);
    }
    catch (\Exception $e) {
-      $form_state->setErrorByName('dsn', $this->t('Invalid DSN.'));
+      $form_state->setErrorByName('dsn', $this->t('Invalid DSN: @message', ['@message' => $e->getMessage()]));
    }
  }


--- a/src/ReplacementSendmailTransportFactory.php
+++ b/src/ReplacementSendmailTransportFactory.php
+<?php
+
+namespace Drupal\symfony_mailer;
+
+use Drupal\Core\Site\Settings;
+use Symfony\Component\Mailer\Transport\AbstractTransportFactory;
+use Symfony\Component\Mailer\Transport\Dsn;
+use Symfony\Component\Mailer\Transport\SendmailTransportFactory;
+use Symfony\Component\Mailer\Transport\TransportInterface;
+
+/**
+ * Provides a replacement sendmail transport factory that checks the command.
+ */
+final class ReplacementSendmailTransportFactory extends AbstractTransportFactory {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function create(Dsn $dsn): TransportInterface {
+    if ($command = $dsn->getOption('command')) {
+      $commands = Settings::get('mailer_sendmail_commands', []);
+      if (!in_array($command, $commands)) {
+        throw new \RuntimeException("Unsafe sendmail command {$command}");
+      }
+    }
+
+    return (new SendmailTransportFactory())->create($dsn);
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function getSupportedSchemes(): array {
+    return ['sendmail', 'sendmail+smtp'];
+  }
+
+}
--- a/src/TransportFactoryManager.php
+++ b/src/TransportFactoryManager.php
@@ -3,6 +3,7 @@
 namespace Drupal\symfony_mailer;

 use Symfony\Component\Mailer\Transport;
+use Symfony\Component\Mailer\Transport\SendmailTransportFactory;
 use Symfony\Component\Mailer\Transport\TransportFactoryInterface;

 /**
@@ -22,6 +23,12 @@ class TransportFactoryManager implements TransportFactoryManagerInterface {
   */
  public function __construct() {
    $this->factories = iterator_to_array(Transport::getDefaultFactories());
+
+    // Replace the sendmail transport factory with our own implementation.
+    $this->factories = array_filter($this->factories, function ($factory) {
+      return !($factory instanceof SendmailTransportFactory);
+    });
+    $this->addFactory(new ReplacementSendmailTransportFactory());
  }

  /**