PHP :: Bug #22939 :: imap_header_info crashes a page when the from, cc or bcc field is () or <>

Bug #22939

imap_header_info crashes a page when the from, cc or bcc field is () or <>

Submitted:

2003-03-28 09:53 UTC

Modified:

2003-04-15 14:40 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

simon dot wilmer at milestoneip dot com

Assigned:

Status:

Closed

Package:

IMAP related

PHP Version:

4.3.1

OS:

Red Hat 8.0

Private report:

CVE-ID:

None

View Developer Edit

[2003-03-28 09:53 UTC] simon dot wilmer at milestoneip dot com

Hi,

Using PHP 4.3.0 and 4.3.1 with IMAP_2001.RELEASE-CANDIDATE.1 and IMAP_2003.DEV.SNAP-0303181124 and Apache 1.3.27. The imap_header_info function returns an obkect with headers from an email, when trying to read the ->to, ->toaddress, ->cc, ->ccaddress, ->bcc, ->bccaddress values the page will crash if the from, cc or bcc field in the email itself is "()" or "<>" in the headers. Any normal text is fine, but the values above cause the page to crash. 

There is no error message returned unfortunately. Below is some sample code to test this.

Also you will need to set the "from" in an email to () or <> to cause the problem. If anyone thinks it's a good idea I might email security@php.net as someone could "break" the mailbox of any web based email system by mailing an email with a "broken" from field.

Sample code:
<?
	$connection = imap_open('{localhost:143}INBOX', 'username', 'password');

	$headers = imap_headerinfo($connection, 1);
	echo $headers->subject." <br>";
		
	$var = $headers->from;
		
	if (is_array($var))
	{
                //This line is where the script "hangs"
		echo $var[0]->mailbox."@".$var[0]->host;
	}
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-03-31 15:16 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2003-04-04 11:24 UTC] simon dot wilmer at milestoneip dot com

Hi,

Sorry, the latest CVS seems to suffer from the same problem. 

I decided to have a little play with the code in php_imap.c and managed to work out a way of stopping the problem, by changing a section of code in _php_make_header_object() that assigns the fromaddress and from[] variables. It's around line 3700 depending on the version. The "fix" works by checking the length of the from variable is greater than 0. If it's 0 it just skips assigning the value.

if (en->from) {
   MAKE_STD_ZVAL(paddress);
   array_init(paddress);
   _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC);
   
   //Check the length of the from field to see if it's 0,
   //if it is 0 then a field like () has been found
   if (_php_imap_address_size(en->from) > 0) {
      if (fulladdress) {
         add_property_string(myzvalue, "fromaddress", fulladdress, 1);
         free(fulladdress);
      }

      add_assoc_object(myzvalue, "from", paddress);
   }
}

The same change can be made to the Cc and Bcc parts to prevent the problem with them. 

I don't know if this might break anything else, but hopefully this will be helpful for investigating further. 

Cheers,
Simon

[2003-04-08 20:45 UTC] iliaa@php.net

Could you please try the patch at http://bb.prohost.org/imap.txt, which hopefuly will solve this problem. Unfortunately, I do not have access to imap enabled server, so I cannnot test it myself.

[2003-04-15 14:40 UTC] simon dot wilmer at milestoneip dot com

Hi,

Thanks that sorts it out nicely. 

Cheers,
Simon

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Jan 31 14:01:29 2025 UTC