php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69791 Disallow mail header injections by extra headers
Submitted: 2015-06-10 08:42 UTC Modified: 2016-10-17 06:40 UTC
Votes:4
Avg. Score:4.5 ± 0.9
Reproduced:3 of 4 (75.0%)
Same Version:3 (100.0%)
Same OS:2 (66.7%)
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Closed Package: Mail related
PHP Version: master-Git-2015-06-10 (Git) OS: any
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: yohgaki@php.net
New email:
PHP Version: OS:

 

 [2015-06-10 08:42 UTC] yohgaki@php.net
Description:
------------
Current mail() and mb_send_mail() accepts additional headers as single string. Therefore, these functions are weak to mail header injections.

To avoid injections, mail/mb_send_mail should be able to accept additional headers as array that contains each element as single header. RFC 2822 "3.6. Field definitions" restricts certain header only once. 

https://tools.ietf.org/html/rfc2822#section-3.6
e.g. to, from, cc, bcc, subject, etc. 

Except these headers, mail/mb_send_mail should be able to set a headers multiple times.

Example additional headers array

$extra_headers = ["Bcc"=>"php@php.net", "X-Other"=>["One", "Two"]];

Since "To" and "Subject" have dedicated parameters, $extra_headers should not contain "To" and "Subject". 

Related bugs
 - https://bugs.php.net/bug.php?id=15841
 - https://bugs.php.net/bug.php?id=14799
 - https://bugs.php.net/bug.php?id=68776




Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-10 08:42 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2016-08-06 01:20 UTC] kalle@php.net
I think this is a rather elegant solution, and it can be implemented in a sort of BC compatible way since the $extra_headers argument is expected to be a string. We could then move forward with E_DEPRECATED for sometime in 7.x and later force it to be an array.

+1
 [2016-10-17 06:39 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2016-10-17 06:39 UTC] yohgaki@php.net
Implemented in PHP 7.1.
 [2016-10-17 06:40 UTC] yohgaki@php.net
Oops. Implemented in PHP 7.2
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 13:01:29 2024 UTC