From 96ee5c373e529eb3313bf8174ab095ab12588f21 Mon Sep 17 00:00:00 2001
From: Carsten Brandt <mail@cebe.cc>
Date: Wed, 28 Dec 2016 23:50:10 +0100
Subject: [PATCH] added more tests for SwiftMailer vulnerability CVE-2016-10074

https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
---
 .../validators/EmailValidatorTest.php         | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/tests/framework/validators/EmailValidatorTest.php b/tests/framework/validators/EmailValidatorTest.php
index acbf0998d0..e1ffe3cb41 100644
--- a/tests/framework/validators/EmailValidatorTest.php
+++ b/tests/framework/validators/EmailValidatorTest.php
@@ -128,15 +128,34 @@ class EmailValidatorTest extends TestCase
     public function malformedAddressesProvider()
     {
         return [
+            // this is the demo email used in the proof of concept of the exploit
+            ['"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com'],
+            // trying more adresses
             ['"Attacker -Param2 -Param3"@test.com'],
             ['\'Attacker -Param2 -Param3\'@test.com'],
             ['"Attacker \" -Param2 -Param3"@test.com'],
             ["'Attacker \\' -Param2 -Param3'@test.com"],
-            ['"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com']
+            ['"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com'],
+            // and even more variants
+            ['"attacker\"\ -oQ/tmp/\ -X/var/www/cache/phpcode.php"@email.com'],
+            ["\"attacker\\\"\0-oQ/tmp/\0-X/var/www/cache/phpcode.php\"@email.com"],
+            ['"attacker@cebe.cc\"-Xbeep"@email.com'],
+
+            ["'attacker\\' -oQ/tmp/ -X/var/www/cache/phpcode.php'@email.com"],
+            ["'attacker\\\\' -oQ/tmp/ -X/var/www/cache/phpcode.php'@email.com"],
+            ["'attacker\\\\'\\ -oQ/tmp/ -X/var/www/cache/phpcode.php'@email.com"],
+            ["'attacker\\';touch /tmp/hackme'@email.com"],
+            ["'attacker\\\\';touch /tmp/hackme'@email.com"],
+            ["'attacker\\';touch/tmp/hackme'@email.com"],
+            ["'attacker\\\\';touch/tmp/hackme'@email.com"],
+            ['"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com'],
         ];
     }
 
     /**
+     * Test malicious email addresses that can be used to exploit SwiftMailer vulnerability CVE-2016-10074
+     * https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
+     *
      * @dataProvider malformedAddressesProvider
      */
     public function testMalformedAddresses($value)