PHP :: Bug #69791 :: Disallow mail header injections by extra headers

Bug #69791

Disallow mail header injections by extra headers

Submitted:

2015-06-10 08:42 UTC

Modified:

2016-10-17 06:40 UTC

Votes:	4
Avg. Score:	4.5 ± 0.9
Reproduced:	3 of 4 (75.0%)
Same Version:	3 (100.0%)
Same OS:	2 (66.7%)

From:

yohgaki@php.net

Assigned:

yohgaki (profile)

Status:

Closed

Package:

Mail related

PHP Version:

master-Git-2015-06-10 (Git)

OS:

any

Private report:

CVE-ID:

None

View Developer Edit

[2015-06-10 08:42 UTC] yohgaki@php.net

Description:
------------
Current mail() and mb_send_mail() accepts additional headers as single string. Therefore, these functions are weak to mail header injections.

To avoid injections, mail/mb_send_mail should be able to accept additional headers as array that contains each element as single header. RFC 2822 "3.6. Field definitions" restricts certain header only once. 

https://tools.ietf.org/html/rfc2822#section-3.6
e.g. to, from, cc, bcc, subject, etc. 

Except these headers, mail/mb_send_mail should be able to set a headers multiple times.

Example additional headers array

$extra_headers = ["Bcc"=>"php@php.net", "X-Other"=>["One", "Two"]];

Since "To" and "Subject" have dedicated parameters, $extra_headers should not contain "To" and "Subject". 

Related bugs
 - https://bugs.php.net/bug.php?id=15841
 - https://bugs.php.net/bug.php?id=14799
 - https://bugs.php.net/bug.php?id=68776

Patches

Pull Requests

Pull requests:

protect master branches except for the pecl repos against force pushes (karma/4)
Imprement bug69791 - https://bugs.php.net/bug.php?id=69791 (php-src/2060)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-06-10 08:42 UTC] yohgaki@php.net

-Assigned To: +Assigned To: yohgaki

[2015-06-23 20:03 UTC] cmb@php.net

Related To: Bug #68776

[2016-08-06 01:20 UTC] kalle@php.net

I think this is a rather elegant solution, and it can be implemented in a sort of BC compatible way since the $extra_headers argument is expected to be a string. We could then move forward with E_DEPRECATED for sometime in 7.x and later force it to be an array.

+1

[2016-10-17 06:39 UTC] yohgaki@php.net

-Status: Assigned +Status: Closed

[2016-10-17 06:39 UTC] yohgaki@php.net

Implemented in PHP 7.1.

[2016-10-17 06:40 UTC] yohgaki@php.net

Oops. Implemented in PHP 7.2

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 01:00:01 2025 UTC