From d827a289ac8cb0ef4292c2e042706d7ecb2a41ec Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 25 May 2026 13:36:46 +0000
Subject: [PATCH] fix: apply stripCRLF to From:/To: SMTP headers

gmailUser_ and recipient_ were written into the From: and To: header
lines without sanitization, leaving the same CRLF-injection vector
that the original PR fixed for Subject.  Apply stripCRLF() to both
fields so all three header values are injection-safe.

https://claude.ai/code/session_01Lq2gNbRv9voqav7jsmQMnD
---
 src/alerter.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/alerter.cpp b/src/alerter.cpp
index e694779..93ce412 100644
--- a/src/alerter.cpp
+++ b/src/alerter.cpp
@@ -88,8 +88,8 @@ bool Alerter::sendEmail(const std::string& subject, const std::string& body) {
     // Build the full message (headers + blank line + body).
     std::ostringstream msg;
     msg << "Date: " << rfc5322Date() << "\r\n"
-        << "From: WeatherDisplay <" << gmailUser_ << ">\r\n"
-        << "To: <" << recipient_ << ">\r\n"
+        << "From: WeatherDisplay <" << stripCRLF(gmailUser_) << ">\r\n"
+        << "To: <" << stripCRLF(recipient_) << ">\r\n"
         << "Subject: " << stripCRLF(subject) << "\r\n"
         << "Content-Type: text/plain; charset=UTF-8\r\n"
         << "\r\n"