now enabled by default.
* $wgLBFactoryConf: Class names have had underscores removed. The configuration
should be updated if LBFactory_Simple or LBFactory_Multi is configured.
+* $wgPasswordSenderName has been deprecated. To set a custom mailer name,
+ the system message 'emailsender' should be modified (default: "{{SITENAME}}").
=== New features in 1.23 ===
* ResourceLoader can utilize the Web Storage API to cache modules client-side.
/**
* Password reminder name
+ *
+ * @deprecated since 1.23; use the system message 'emailsender' instead.
*/
$wgPasswordSenderName = 'MediaWiki Mail';
*/
public function sendMail( $subject, $body, $from = null, $replyto = null ) {
if ( is_null( $from ) ) {
- global $wgPasswordSender, $wgPasswordSenderName;
- $sender = new MailAddress( $wgPasswordSender, $wgPasswordSenderName );
+ global $wgPasswordSender;
+ $sender = new MailAddress( $wgPasswordSender,
+ wfMessage( 'emailsender' )->inContentLanguage()->text() );
} else {
$sender = new MailAddress( $from );
}
static function arrayToHeaderString( $headers, $endl = "\n" ) {
$strings = array();
foreach ( $headers as $name => $value ) {
+ // Prevent header injection by stripping newlines from value
+ $value = self::sanitizeHeaderValue( $value );
$strings[] = "$name: $value";
}
return implode( $endl, $strings );
self::$mErrorString = preg_replace( '/^mail\(\)(\s*\[.*?\])?: /', '', $string );
}
+ /**
+ * Strips bad characters from a header value to prevent PHP mail header injection attacks
+ * @param string $val String to be santizied
+ * @return string
+ */
+ public static function sanitizeHeaderValue( $val ) {
+ return strtr( $val, array( "\r" => '', "\n" => '' ) );
+ }
+
/**
* Converts a string into a valid RFC 822 "phrase", such as is used for the sender name
* @param $phrase string
* @return string
*/
public static function rfc822Phrase( $phrase ) {
- $phrase = strtr( $phrase, array( "\r" => '', "\n" => '', '"' => '' ) );
+ // Remove line breaks
+ $phrase = self::sanitizeHeaderValue( $phrase );
+ // Remove quotes
+ $phrase = str_replace( '"', '', $phrase );
return '"' . $phrase . '"';
}
* Generate the generic "this page has been changed" e-mail text.
*/
private function composeCommonMailtext() {
- global $wgPasswordSender, $wgPasswordSenderName, $wgNoReplyAddress;
+ global $wgPasswordSender, $wgNoReplyAddress;
global $wgEnotifFromEditor, $wgEnotifRevealEditorAddress;
global $wgEnotifImpersonal, $wgEnotifUseRealName;
# Reveal the page editor's address as REPLY-TO address only if
# the user has not opted-out and the option is enabled at the
# global configuration level.
- $adminAddress = new MailAddress( $wgPasswordSender, $wgPasswordSenderName );
+ $adminAddress = new MailAddress( $wgPasswordSender,
+ wfMessage( 'emailsender' )->inContentLanguage()->text() );
if ( $wgEnotifRevealEditorAddress
&& ( $this->editor->getEmail() != '' )
&& $this->editor->getOption( 'enotifrevealaddr' )
// This is a bit ugly, but will serve to differentiate
// wiki-borne mails from direct mails and protects against
// SPF and bounce problems with some mailers (see below).
- global $wgPasswordSender, $wgPasswordSenderName;
+ global $wgPasswordSender;
- $mailFrom = new MailAddress( $wgPasswordSender, $wgPasswordSenderName );
+ $mailFrom = new MailAddress( $wgPasswordSender,
+ wfMessage( 'emailsender' )->inContentLanguage()->text() );
$replyTo = $from;
} else {
// Put the sending user's e-mail address in the From: header.
Please enter a well-formatted address or empty that field.',
'cannotchangeemail' => 'Account email addresses cannot be changed on this wiki.',
'emaildisabled' => 'This site cannot send emails.',
+'emailsender' => '{{SITENAME}}', # do not translate or duplicate this message to other languages
'accountcreated' => 'Account created',
'accountcreatedtext' => 'The user account for [[{{ns:User}}:$1|$1]] ([[{{ns:User talk}}:$1|talk]]) has been created.',
'createaccount-title' => 'Account creation for {{SITENAME}}',
'invalidemailaddress' => 'Shown as a warning when written an invalid email address in [[Special:Preferences]] and {{fullurl:Special:UserLogin|type=signup}} page',
'cannotchangeemail' => 'Error message shown when user goes to [[Special:ChangeEmail]] but email addresses cannot be changed on the site.',
'emaildisabled' => 'Error message shown when user tries to set an email address but email features are disabled.',
+'emailsender' => 'From name used in system email sent to users.',
'accountcreated' => 'Used as page title in [[Special:UserLogin]].
See also:
'signupstart',
'signupend',
'signupend-https',
+ 'emailsender',
'sitenotice',
'sitesubtitle',
'sitetitle',
'invalidemailaddress',
'cannotchangeemail',
'emaildisabled',
+ 'emailsender',
'accountcreated',
'accountcreatedtext',
'createaccount-title',