Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Users can enter any random string for the email address and the module appears to attempt to email using that string.
This can be a security issue (since the from address is inserted as is into the message headers).
Attempting to subscribe an address like:
joe@example.org\r\nSubject: buy viagra here\r\nTo: thirdparty@example.org
Could cause the script to do things it wasn't intended to do.
| Comment | File | Size | Author |
|---|---|---|---|
| lists.module.patch | 653 bytes | jmcclelland |
Comments
Comment #1
kbahey commentedThanks.
Committed to 5.x-1.x-dev.
Comment #2
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.