Revision 5187f764a0937f9fe04e675299558f5c1a90fd77

Fixed issue #58: Restrict the set of characters that can be used for the ezcMail returnPath property.

This issue is documented as CVE-2017-15806, and should be classified as "Low
Risk".

It is indeed possible to pass arbitrary parameters to the "sendmail" binary
when setting the returnPath property of ezcMail when using the
ezcMailMtaTransport. In some situations, it is possible to use an e-mail
address that contains -X/path/to/wwwroot/file.php" to write a file to the file
system, that can then be accessed and run through domainname/file.php.

This is only possible if *all* of these conditions are true:

- you use the ezcMailMtaTransport
- your "sendmail" binary allows the -X flag to be set, which is not the case
for exim4 and postfix, as they don't support that argument
- your wwwroot is writable by the user your webserver is running at
- the input to use for the ezcMailAddress that is assigned to the returnPath
property is not filtered