Ignore HTTP_* env vars

craftcms · Jun 13, 2022 · 87aef78 · 87aef78
1 parent 3c725f8
commit 87aef78
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,10 @@
 - Fixed a bug where the `install` command would run non-interactively even if not all needed options were passed, resulting in an error after the database tables had been added. ([#11305](https://github.com/craftcms/cms/issues/11305))
 - Fixed a viewport clipping bug on the control panel’s Login page. ([#11372](https://github.com/craftcms/cms/pull/11372))
 
+### Security
+- Environment-aware control panel fields no longer suggest environment variables that begin with `HTTP_`.
+- The Sendmail mailer no longer validates if the Sendmail Command setting is set to an enivornment variable that begins with `HTTP_`.
+
 ## 3.7.44 - 2022-06-03
 
 ### Changed

diff --git a/src/mail/transportadapters/Sendmail.php b/src/mail/transportadapters/Sendmail.php
@@ -135,7 +135,7 @@ private function _allowedCommands(): array
         $command = Craft::$app->getProjectConfig()->get('email.transportSettings.command');
 
         return array_unique(array_filter([
-            !StringHelper::startsWith($command, '$') ? $command : null,
+            (!StringHelper::startsWith($command, '$') || StringHelper::startsWith('$HTTP_')) ? $command : null,
             self::DEFAULT_COMMAND,
             ini_get('sendmail_path'),
         ]));

diff --git a/src/web/twig/variables/Cp.php b/src/web/twig/variables/Cp.php
@@ -490,7 +490,7 @@ public function getEnvSuggestions(bool $includeAliases = false): array
 
         $envSuggestions = [];
         foreach (array_keys($_SERVER) as $var) {
-            if (is_string($var) && is_string($env = App::env($var))) {
+            if (is_string($var) && !StringHelper::startsWith($var, 'HTTP_') && is_string($env = App::env($var))) {
                 $envSuggestions[] = [
                     'name' => '$' . $var,
                     'hint' => $security->redactIfSensitive($var, Craft::getAlias($env, false)),