Skip to content

Fix CRLF header injection in SMTP From and To headers#103

Merged
GageLawton merged 1 commit into
mainfrom
claude/fix-crlf-smtp-70
May 27, 2026
Merged

Fix CRLF header injection in SMTP From and To headers#103
GageLawton merged 1 commit into
mainfrom
claude/fix-crlf-smtp-70

Conversation

@GageLawton
Copy link
Copy Markdown
Owner

@GageLawton GageLawton commented May 27, 2026

Summary

Closes #70

The Subject: header was already sanitized via stripCRLF(), but From: and To: were passing gmailUser_ and recipient_ directly into the raw SMTP message without stripping. A malformed value in either field could inject arbitrary headers into outgoing mail.

Changes

  • src/alerter.cpp: wrap gmailUser_ and recipient_ with stripCRLF() when building the From: and To: SMTP headers

Test plan

  • Confirm email alerts still send correctly with a normal .env configuration
  • Verify a GMAIL_USER value containing \r\n does not produce extra headers in the outgoing message

@claude
fix: apply stripCRLF to From:/To: SMTP headers
d827a28 
gmailUser_ and recipient_ were written into the From: and To: header
lines without sanitization, leaving the same CRLF-injection vector
that the original PR fixed for Subject.  Apply stripCRLF() to both
fields so all three header values are injection-safe.

https://claude.ai/code/session_01Lq2gNbRv9voqav7jsmQMnD
@GageLawton GageLawton self-assigned this May 27, 2026
@GageLawton GageLawton merged commit 087aab1 into main May 27, 2026
2 checks passed
@GageLawton GageLawton deleted the claude/fix-crlf-smtp-70 branch May 27, 2026 01:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@GageLawton GageLawton

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: CRLF header injection via unsanitized weather alert headline in SMTP Subject

2 participants

@GageLawton @claude