elofgren: Define 'EMAIL_BOUNCEHANDLER_KEY' in sapphire/_config.php and require its value to be sent as 'Key' $_GET var in pings to /Email_BounceHandler to prevent fake email bounce pings.

(merged from branches/gsoc)


git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@41977 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2007-09-16 00:35:09 +00:00
parent f54e9db8b9
commit 87a0535439
2 changed files with 12 additions and 0 deletions

View File

@ -81,5 +81,11 @@ Security::encrypt_passwords(true);
*/
Security::set_password_encryption_algorithm('sha1', true);
/**
* The secret key that needs to be sent along with pings to /Email_BounceHandler.
* Change this to something different for increase security.
* For more information see: http://doc.silverstripe.com/doku.php?id=email_bouncehandler
*/
define('EMAIL_BOUNCEHANDLER_KEY', '1aaaf8fb60ea253dbf6efa71baaacbb3');
?>

View File

@ -797,6 +797,12 @@ class Email_BounceHandler extends Controller {
return;
}
// Check against access key defined in sapphire/_config.php
if( !isset($_REQUEST['Key']) || $_REQUEST['Key'] != EMAIL_BOUNCEHANDLER_KEY) {
echo 'Error: Access validation failed. Invalid "Key" specified.';
return;
}
if( !$_REQUEST['Email'] ) {
echo "No email address";
return;