php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #22939 imap_header_info crashes a page when the from, cc or bcc field is () or <>
Submitted: 2003-03-28 09:53 UTC Modified: 2003-04-15 14:40 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: simon dot wilmer at milestoneip dot com Assigned:
Status: Closed Package: IMAP related
PHP Version: 4.3.1 OS: Red Hat 8.0
Private report: No CVE-ID: None
View Developer Edit
 [2003-03-28 09:53 UTC] simon dot wilmer at milestoneip dot com 
Hi,

Using PHP 4.3.0 and 4.3.1 with IMAP_2001.RELEASE-CANDIDATE.1 and IMAP_2003.DEV.SNAP-0303181124 and Apache 1.3.27. The imap_header_info function returns an obkect with headers from an email, when trying to read the ->to, ->toaddress, ->cc, ->ccaddress, ->bcc, ->bccaddress values the page will crash if the from, cc or bcc field in the email itself is "()" or "<>" in the headers. Any normal text is fine, but the values above cause the page to crash. 

There is no error message returned unfortunately. Below is some sample code to test this.

Also you will need to set the "from" in an email to () or <> to cause the problem. If anyone thinks it's a good idea I might email security@php.net as someone could "break" the mailbox of any web based email system by mailing an email with a "broken" from field.

Sample code:
<?
	$connection = imap_open('{localhost:143}INBOX', 'username', 'password');

	$headers = imap_headerinfo($connection, 1);
	echo $headers->subject." <br>";
		
	$var = $headers->from;
		
	if (is_array($var))
	{
                //This line is where the script "hangs"
		echo $var[0]->mailbox."@".$var[0]->host;
	}
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-31 15:16 UTC] iliaa@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
 [2003-04-04 11:24 UTC] simon dot wilmer at milestoneip dot com 
Hi,

Sorry, the latest CVS seems to suffer from the same problem. 

I decided to have a little play with the code in php_imap.c and managed to work out a way of stopping the problem, by changing a section of code in _php_make_header_object() that assigns the fromaddress and from[] variables. It's around line 3700 depending on the version. The "fix" works by checking the length of the from variable is greater than 0. If it's 0 it just skips assigning the value.

if (en->from) {
   MAKE_STD_ZVAL(paddress);
   array_init(paddress);
   _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC);
   
   //Check the length of the from field to see if it's 0,
   //if it is 0 then a field like () has been found
   if (_php_imap_address_size(en->from) > 0) {
      if (fulladdress) {
         add_property_string(myzvalue, "fromaddress", fulladdress, 1);
         free(fulladdress);
      }

      add_assoc_object(myzvalue, "from", paddress);
   }
}

The same change can be made to the Cc and Bcc parts to prevent the problem with them. 

I don't know if this might break anything else, but hopefully this will be helpful for investigating further. 

Cheers,
Simon
 [2003-04-08 20:45 UTC] iliaa@php.net 
Could you please try the patch at http://bb.prohost.org/imap.txt, which hopefuly will solve this problem. Unfortunately, I do not have access to imap enabled server, so I cannnot test it myself.
 [2003-04-15 14:40 UTC] simon dot wilmer at milestoneip dot com 
Hi,

Thanks that sorts it out nicely. 

Cheers,
Simon
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jan 22 10:01:30 2025 UTC