Insecure functionality In symfony/symfony
Description
Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
Description
Symfony Mailer selects a transport via the MAILER_DSN environment variable / configuration (e.g. smtp://..., sendmail://..., native://default). SendmailTransport invokes the local sendmail binary and supports two modes: -bs (speak SMTP over stdin: the default) and -t (read the message on stdin, pass recipients as command-line arguments).
In -t mode, recipient addresses are appended to the sendmail command line without a -- end-of-options separator. A recipient address beginning with - (which Symfony\Component\Mime\Address accepts as valid) is therefore interpreted by sendmail as a command-line option rather than an address.
Resolution
The SendmailTransport transport now ensure -- is set before the list of recipients.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 packagist | 5.4.52, 6.4.40, 7.4.12, 8.0.12 | ||
packagist | 5.4.52, 6.4.40, 7.4.12, 8.0.12 |
Aliases
References