PHP :: Bug #32311 :: mb_encode_mimeheader does not properly escape characters

Bug #32311

mb_encode_mimeheader does not properly escape characters

Submitted:

2005-03-15 10:30 UTC

Modified:

2005-04-13 10:15 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

mortoray at ecircle-ag dot com

Assigned:

Status:

Closed

Package:

mbstring related

PHP Version:

4.*, 5.*

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2005-03-15 10:30 UTC] mortoray at ecircle-ag dot com

Description:
------------
At least for Q encoding, this function is unsafe and does not encode correctly. Raw characters which appear as RFC2047 sequences are simply left as is.

Ex:

mb_encode_mimeheader( '=?iso-8859-1?q?this=20is=20some=20text?=' );

returns '=?iso-8859-1?q?this=20is=20some=20text?='

The exact same string, which is obviously not the encoding for the source string.  That is, mb_encode_mimeheader does not do any type of escaping.

That is, the following condition is not always true:
    mb_decode_mimeheader( mb_encode_mimeheader( $text ) ) == $text

Reproduce code:
---------------
$text = '=?iso-8859-1?q?this=20is=20some=20text?=';

assert( mb_decode_mimeheader( mb_encode_mimeheader( $text ) ) == $text );

Expected result:
----------------
The decode/encode sequence should always return the original text.


Actual result:
--------------
Returned result is different than original (that is, the assertion fails).

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-03-17 18:09 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2005-03-18 09:13 UTC] mortoray at ecircle-ag dot com

I tried the snapshot and got the same results.  What appears to be happening is that the encoders detection of disallowed characters does not include the escape sequences required to do the encoding.

That is, as long as the string is 7-bit ASCII no encoding is ever done, even if a MIME escape occurs in the source string, no encoding will be done.

From the reproduction, it is obviously expected that a MIME escape sequence will also be properly encoded.

[2005-03-24 00:48 UTC] moriyoshi@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2005-03-24 01:00 UTC] moriyoshi@php.net

The fix won't go in either 4.3.11 or 5.0.4.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Mar 04 07:01:29 2025 UTC