From a416426b939cf0ac1795aa269048e751b7230b81 Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <angelfqc.18@gmail.com>
Date: Fri, 24 May 2024 17:23:26 -0500
Subject: [PATCH] Internal: validate email address before set it in mail - refs
 BT#21613

---
 public/main/inc/lib/api.lib.php               | 26 ++++++++++++++-----
 .../Repository/MessageRepositoryTest.php      |  1 -
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/public/main/inc/lib/api.lib.php b/public/main/inc/lib/api.lib.php
index 7213d8c0de..2ad2f434aa 100644
--- a/public/main/inc/lib/api.lib.php
+++ b/public/main/inc/lib/api.lib.php
@@ -20,6 +20,7 @@ use Symfony\Component\Finder\Finder;
 use Symfony\Component\Mime\Address;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Validator\Constraints as Assert;
 use ZipStream\Option\Archive;
 use ZipStream\ZipStream;
 use Chamilo\CoreBundle\Component\Utils\ActionIcon;
@@ -7112,6 +7113,9 @@ function api_set_noreply_and_from_address_to_mailer(
     array $sender,
     array $replyToAddress = []
 ): void {
+    $validator = Container::getLegacyHelper()->getValidator();
+    $emailConstraint = new Assert\Email();
+
     $noReplyAddress = api_get_setting('noreply_email_address');
     $avoidReplyToAddress = false;
 
@@ -7129,13 +7133,23 @@ function api_set_noreply_and_from_address_to_mailer(
     $senderEmail = !empty($sender['email']) ? $sender['email'] : $defaultSenderEmail;
 
     // Send errors to the platform admin
-    $email
-        ->getHeaders()
-        ->addIdHeader('Errors-To', api_get_setting('admin.administrator_email'))
-    ;
+    $adminEmail = api_get_setting('admin.administrator_email');
+
+    $adminEmailValidation = $validator->validate($adminEmail, $emailConstraint);
+
+    if (!empty($adminEmail) && 0 === $adminEmailValidation->count()) {
+        $email
+            ->getHeaders()
+            ->addIdHeader('Errors-To', $adminEmail)
+        ;
+    }
+
+    if (!$avoidReplyToAddress) {
+        $replyToEmailValidation = $validator->validate($replyToAddress['mail'], $emailConstraint);
 
-    if (!$avoidReplyToAddress && !empty($replyToAddress)) {
-        $email->addReplyTo(new Address($replyToAddress['mail'], $replyToAddress['name']));
+        if (!empty($replyToAddress) && 0 === $replyToEmailValidation->count()) {
+            $email->addReplyTo(new Address($replyToAddress['mail'], $replyToAddress['name']));
+        }
     }
 
     if ('true' === api_get_setting('mail.smtp_unique_sender')) {
diff --git a/tests/CoreBundle/Repository/MessageRepositoryTest.php b/tests/CoreBundle/Repository/MessageRepositoryTest.php
index b73d98ffb7..05b5d671e4 100644
--- a/tests/CoreBundle/Repository/MessageRepositoryTest.php
+++ b/tests/CoreBundle/Repository/MessageRepositoryTest.php
@@ -18,7 +18,6 @@ use Chamilo\CoreBundle\Repository\Node\UserRepository;
 use Chamilo\Tests\AbstractApiTest;
 use Chamilo\Tests\ChamiloTestTrait;
 use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\Messenger\Transport\InMemoryTransport;
 
 class MessageRepositoryTest extends AbstractApiTest
 {