From 5125c0e332c3090126df6804bdf56f606f272ecb Mon Sep 17 00:00:00 2001
From: Petr Skoda <commits@skodak.org>
Date: Sat, 21 Jan 2012 15:21:08 +0100
Subject: [PATCH] MDL-31202 do not try sending emails to invalid addresses

The use of mtrace() in email_to_user() is most probably incorrect, I am going to use it only in CLI scripts (which includes cron). This should not be considered a security issue because we should be already validating emails when accepting them from untrusted users.
---
 lib/moodlelib.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 34a846069d7..e17d8d089f9 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -5024,6 +5024,17 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml='', $a
         return true;
     }
 
+    if (!validate_email($user->email)) {
+        // we can not send emails to invalid addresses - it might create security issue or confuse the mailer
+        $invalidemail = "User $user->id (".fullname($user).") email ($user->email) is invalid! Not sending.";
+        error_log($invalidemail);
+        if (CLI_SCRIPT) {
+            // do not print this in standard web pages
+            mtrace($invalidemail);
+        }
+        return false;
+    }
+
     if (over_bounce_threshold($user)) {
         $bouncemsg = "User $user->id (".fullname($user).") is over bounce threshold! Not sending.";
         error_log($bouncemsg);
-- 
2.11.4.GIT