From 87aef7814b8caaf40fe205a2d2571fa0d77fcd8f Mon Sep 17 00:00:00 2001
From: brandonkelly <brandon@pixelandtonic.com>
Date: Mon, 13 Jun 2022 14:31:19 -0700
Subject: [PATCH] Ignore HTTP_*  env vars

---
 CHANGELOG.md                            | 4 ++++
 src/mail/transportadapters/Sendmail.php | 2 +-
 src/web/twig/variables/Cp.php           | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1b182f0d94a..6d8113a2b9c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,10 @@
 - Fixed a bug where the `install` command would run non-interactively even if not all needed options were passed, resulting in an error after the database tables had been added. ([#11305](https://github.com/craftcms/cms/issues/11305))
 - Fixed a viewport clipping bug on the control panel’s Login page. ([#11372](https://github.com/craftcms/cms/pull/11372))
 
+### Security
+- Environment-aware control panel fields no longer suggest environment variables that begin with `HTTP_`.
+- The Sendmail mailer no longer validates if the Sendmail Command setting is set to an enivornment variable that begins with `HTTP_`.
+
 ## 3.7.44 - 2022-06-03
 
 ### Changed
diff --git a/src/mail/transportadapters/Sendmail.php b/src/mail/transportadapters/Sendmail.php
index c9dc0451a19..c72753d88cb 100644
--- a/src/mail/transportadapters/Sendmail.php
+++ b/src/mail/transportadapters/Sendmail.php
@@ -135,7 +135,7 @@ private function _allowedCommands(): array
         $command = Craft::$app->getProjectConfig()->get('email.transportSettings.command');
 
         return array_unique(array_filter([
-            !StringHelper::startsWith($command, '$') ? $command : null,
+            (!StringHelper::startsWith($command, '$') || StringHelper::startsWith('$HTTP_')) ? $command : null,
             self::DEFAULT_COMMAND,
             ini_get('sendmail_path'),
         ]));
diff --git a/src/web/twig/variables/Cp.php b/src/web/twig/variables/Cp.php
index cfbeb61bf5b..b8866f84096 100644
--- a/src/web/twig/variables/Cp.php
+++ b/src/web/twig/variables/Cp.php
@@ -490,7 +490,7 @@ public function getEnvSuggestions(bool $includeAliases = false): array
 
         $envSuggestions = [];
         foreach (array_keys($_SERVER) as $var) {
-            if (is_string($var) && is_string($env = App::env($var))) {
+            if (is_string($var) && !StringHelper::startsWith($var, 'HTTP_') && is_string($env = App::env($var))) {
                 $envSuggestions[] = [
                     'name' => '$' . $var,
                     'hint' => $security->redactIfSensitive($var, Craft::getAlias($env, false)),