This post is a short inside-out of the newly released Magento 1 SUPEE-9652 security patch. The patch prohibits an injection of executable code to the Magento email “Reply To” param, if the “Return Path” for emails is enabled. So let’s check what it does.

Basically, the patch changes only one file: lib/Zend/Mail/Transport/Sendmail.php, updating the content of the \Zend_Mail_Transport_Sendmail::_sendMail method to:

    public function _sendMail()
    {
        if ($this->parameters === null) {
            set_error_handler(array($this, '_handleMailErrors'));
            $result = mail(
                $this->recipients,
                $this->_mail->getSubject(),
                $this->body,
                $this->header);
            restore_error_handler();
        } else {
            if(!is_string($this->parameters)) {
                /**
                 * @see Zend_Mail_Transport_Exception
                 *
                 * Exception is thrown here because
                 * $parameters is a public property
                 */
                #require_once 'Zend/Mail/Transport/Exception.php';
                throw new Zend_Mail_Transport_Exception(
                    'Parameters were set but are not a string'
                );
            }

            // Sanitize the From header
            if (!Zend_Validate::is(str_replace(' ', '', $this->parameters), 'EmailAddress')) {
                throw new Zend_Mail_Transport_Exception('Potential code injection in From header');
            } else {
                set_error_handler(array($this, '_handleMailErrors'));
                $result = mail(
                    $this->recipients,
                    $this->_mail->getSubject(),
                    $this->body,
                    $this->header,
                    $this->parameters);
                restore_error_handler();
            }
        }

        if ($this->_errstr !== null || !$result) {
            /**
             * @see Zend_Mail_Transport_Exception
             */
            #require_once 'Zend/Mail/Transport/Exception.php';
            throw new Zend_Mail_Transport_Exception('Unable to send mail. ' . $this->_errstr);
        }
    }

The particular change is here:

	if (!Zend_Validate::is(str_replace(' ', '', $this->parameters), 'EmailAddress')) {
                throw new Zend_Mail_Transport_Exception('Potential code injection in From header');
    } else {

Zend_Validate::is actually calls \Zend_Validate_EmailAddress::isValid method for the email $parameters string. This value should be email only. So if, something else except a valid email address is passed to $parameters – an exception will be thrown.

As described here, the only way to set something to $parameters may occur if “System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path” set to “Yes”. In that way, malicious code injection may be added to “Reply to” address. After the patch installation, nothing except a valid email can be added there.

As it was mentioned above, only one file is affected by the patch in both CE and EE. So you will need to make sure that it is not overridden in the app/code/local or other pools.

Always keep your Magento store safe and thanks for reading!

You may also want to read: