[wp-trac] [WordPress Trac] #25651: wp_mail not setting Sender and Reply-To headers, exposing hosting account info on some cPanel servers

WordPress Trac noreply at wordpress.org
Mon Oct 21 18:19:41 UTC 2013 

#25651: wp_mail not setting Sender and Reply-To headers, exposing hosting account
info on some cPanel servers
----------------------------+------------------------------
 Reporter:  MaximumResults  |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  Awaiting Review
Component:  General         |     Version:  3.6.1
 Severity:  major           |  Resolution:
 Keywords:                  |
----------------------------+------------------------------

Comment (by MaximumResults):

 Replying to [ticket:25651 MaximumResults]:
 > When WordPress and WordPress plugins send emails using wp_mail() in wp-
 includes/pluggable.php, the "Sender:" and "Reply-to:" headers are not
 being set. When this happens on cPanel based hosting services, the mail
 headers on the resulting emails expose the hosting account login name and
 the hosting server in the hosting service's name space (something like
 myccount at host99.myhostingservice.com ). This provides everything necessary
 to access the hosting account as the owner of the account, except the
 password. Registrants on a site should not be provided this information.



 I have a suggested solution. The PHPMailer class provides a method
 SetFrom(), and the code there has a paramter, "auto" which will
 automatically set the "Sender:" and "Reply-To:" header information from
 the email name/address.

 So, a possible solution would be,  at line 340 of pluggable.php, put these
 three lines:
 {{{
 $from_email = apply_filters( 'wp_mail_from'     , $from_email );
 $from_name = apply_filters( 'wp_mail_from_name', $from_name  );
 $phpmailer->SetFrom($from_email, $from_name, true );
 }}}
 In place of the current line 340-341:
 {{{
 $phpmailer->From     = apply_filters( 'wp_mail_from'     , $from_email );
 $phpmailer->FromName = apply_filters( 'wp_mail_from_name', $from_name  );
 }}}

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25651#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list