From e3df92a1bdd7b24c42f08756d6c2049590749d71 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@enhancesoft.com>
Date: Sun, 29 Sep 2013 03:57:08 +0000
Subject: [PATCH] Require email match to thread incoming email when ticket
 number on subject line is used.

---
 include/class.thread.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/include/class.thread.php b/include/class.thread.php
index d5442eb3d..05642a322 100644
--- a/include/class.thread.php
+++ b/include/class.thread.php
@@ -674,11 +674,16 @@ Class ThreadEntry {
         }
 
         // Search for ticket by the [#123456] in the subject line
+        // This is the last resort -  emails must match to avoid message
+        // injection by third-party.
         $subject = $mailinfo['subject'];
         $match = array();
-        if ($subject && preg_match("/\[#([0-9]{1,10})\]/", $subject, $match))
+        if ($subject && $mailinfo['email']
+                && preg_match("/\[#([0-9]{1,10})\]/", $subject, $match)
+                && ($tid = Ticket::getIdByExtId((int)$match[1], $mailinfo['email']))
+                )
             // Return last message for the thread
-            return Message::lastByExtTicketId((int)$match[1]);
+            return Message::lastByTicketId($tid);
 
         return null;
     }
-- 
GitLab