Index: contact.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/contact.module,v
retrieving revision 1.42
diff -u -r1.42 contact.module
--- contact.module	21 Feb 2006 18:46:54 -0000	1.42
+++ contact.module	21 Feb 2006 19:54:01 -0000
@@ -157,6 +157,13 @@
   }
 }
 
+function contact_mail_user_validate($form_id, &$form) {
+  global $form_values;
+  if (eregi("\r", $form_values['subject']) || eregi("\n", $form_values['subject'])) {
+    form_set_error('subject', t('The subject cannot contain linebreaks.'));
+  }
+}
+
 function contact_mail_user_submit($form_id, $edit) {
   global $user;
 
@@ -392,6 +399,13 @@
 
 function contact_mail_page_validate($form_id, &$form) {
   global $form_values;
+  if (!valid_email_address($form_values['mail'])) {
+    form_set_error('mail', t('You must enter a valid e-mail address.'));
+  }
+  if (eregi("\r", $form_values['subject']) || eregi("\n", $form_values['subject'])) {
+    form_set_error('subject', t('The subject cannot contain linebreaks.'));
+    watchdog('mail', 'Email injection exploit attempted in contact form subject: ' . check_plain($edit['subject']), WATCHDOG_NOTICE);
+  }
   if (!$form['cid']) {
     // Look if there is only one category
     $result = db_query('SELECT cid FROM {contact}');
@@ -402,10 +416,6 @@
     else {
       form_set_error('category', t('You must select a valid category.'));
     }
-
-    if (!valid_email_address($form['mail'])) {
-      form_set_error('mail', t('You must enter a valid e-mail address.'));
-    }
   }
 }