MDL-58121 email: ensure support user is defined in email_to_user
authorJake Dallimore <jake@moodle.com>
Thu, 2 Mar 2017 02:34:45 +0000 (10:34 +0800)
committerJake Dallimore <jake@moodle.com>
Fri, 17 Mar 2017 01:08:45 +0000 (09:08 +0800)
lib/moodlelib.php
lib/tests/moodlelib_test.php

index 22f6f5b..cc2a1e2 100644 (file)
@@ -5961,6 +5961,7 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml = '',
     if ($attachment && $attachname) {
         if (preg_match( "~\\.\\.~" , $attachment )) {
             // Security check for ".." in dir path.
+            $supportuser = core_user::get_support_user();
             $temprecipients[] = array($supportuser->email, fullname($supportuser, true));
             $mail->addStringAttachment('Error in attachment.  User attempted to attach a filename with a unsafe name.', 'error.txt', '8bit', 'text/plain');
         } else {
index c73a5b3..5086082 100644 (file)
@@ -2859,6 +2859,19 @@ class core_moodlelib_testcase extends advanced_testcase {
         $this->assertNotEquals($CFG->noreplyaddress, $result[0]->from);
         $this->assertEquals($CFG->noreplyaddress, $result[1]->from);
         $sink->close();
+
+        // Try to send an unsafe attachment, we should see an error message in the eventual mail body.
+        $attachment = '../test.txt';
+        $attachname = 'txt';
+
+        $sink = $this->redirectEmails();
+        email_to_user($user1, $user2, $subject, $messagetext, '', $attachment, $attachname);
+        $this->assertSame(1, $sink->count());
+        $result = $sink->get_messages();
+        $this->assertCount(1, $result);
+        $this->assertContains('error.txt', $result[0]->body);
+        $this->assertContains('Error in attachment.  User attempted to attach a filename with a unsafe name.', $result[0]->body);
+        $sink->close();
     }
 
     /**