#410: added missing CRLF injection checks for disposition-notification-to and return-receipt-to recipients (if provided in the email)

Author: bbottema

modules/simple-java-mail/src/main/java/org/simplejavamail/mailer/MailerHelper.java

@@ -101,6 +101,14 @@ public static boolean validate(@NotNull final Email email, @Nullable final Email
 			scanForInjectionAttack(email.getBounceToRecipient().getName(), "email.bounceToRecipient.name");
 			scanForInjectionAttack(email.getBounceToRecipient().getAddress(), "email.bounceToRecipient.address");
 		}
+		if (!valueNullOrEmpty(email.getDispositionNotificationTo())) {
+			scanForInjectionAttack(email.getDispositionNotificationTo().getName(), "email.dispositionNotificationTo.name");
+			scanForInjectionAttack(email.getDispositionNotificationTo().getAddress(), "email.dispositionNotificationTo.address");
+		}
+		if (!valueNullOrEmpty(email.getReturnReceiptTo())) {
+			scanForInjectionAttack(email.getReturnReceiptTo().getName(), "email.returnReceiptTo.name");
+			scanForInjectionAttack(email.getReturnReceiptTo().getAddress(), "email.returnReceiptTo.address");
+		}
 		for (final Recipient recipient : email.getRecipients()) {
 			scanForInjectionAttack(recipient.getName(), "email.recipient.name");
 			scanForInjectionAttack(recipient.getAddress(), "email.recipient.address");