Limit sendmail transport to commands specified in settings.php

Created on 27 May 2025, about 1 month ago

Problem/Motivation

When using the Sendmail transport, it's currently possible to set the sendmail command to anything. Drupal core follows a more strict approach that limits the acceptable sendmail commands to those specified in settings.php. We should adopt this same approach for added security.

Steps to reproduce

Install the Drupal Symfony Mailer Lite. Add a Sendmail transport under Configuration > Drupal Symfony Mailer Lite > Transport.

Proposed resolution

Limit the sendmail commands to those specificed in $settings['mailer_sendmail_commands'] in settings.php.

Remaining tasks

Add MR with changes.

User interface changes

Sendmail transport add/edit form will only include custom commands specified in settings.php.

API changes

Sendmail transport will fail if configured with commands not specified in settings.php.

Data model changes

None.

📌 Task

Status

Active

Version

2.0

Component

Code

Created by

🇺🇸United States zengenuity

Live updates comments and jobs are added and updated live.

Merge Requests

!25Limit sendmail transport to commands specified in settings.php
Merged
🇺🇸United States zengenuity
updated about 1 month ago

Comments & Activities

Issue created by @zengenuity
Merge request !25#3526813 - Disallow sendmail commands that aren't in settings.php. → (Merged) created by zengenuity
Pipeline finished with Skipped
about 1 month ago
#514421
Comment about 1 month ago →
System Message

zengenuity → committed 540442eb on 2.0.x
Issue #3526813 by zengenuity: Limit sendmail transport to commands...
Comment about 1 month ago →
🇺🇸United States zengenuity
Comment 17 days ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024