php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #48620 X-PHP-Originating-Script assumes no trailing CRLF in $headers
Submitted: 2009-06-20 17:49 UTC Modified: 2009-06-21 15:30 UTC
From: shahar dot e at zend dot com Assigned:
Status: Closed Package: Mail related
PHP Version: 5.3.0RC4 OS: Mac OS X 10.5
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: shahar dot e at zend dot com
New email:
PHP Version: OS:

 

 [2009-06-20 17:49 UTC] shahar dot e at zend dot com 
Description:
------------
It is very possible for a developer to use code like in the attached reproduction code to send an e-mail. However, when mail.add_x_header is On, using this code will cause the X-PHP-Originating-Script to show in the message body instead of as a header. 

This is because mail() assumes the $headers parameter is a string which does not end with a trailing CRLF - while in practice it very well may be (it works well when mail.add_x_header is Off). 




Reproduce code:
---------------
<?php

$headers = array(
	'X-Foo' => 'bar',
	'From' => 'some-guy@example.com',
	'Priority' => 'Urgent'
);

$hdrStr = '';
foreach($headers as $k => $v) {
	$hdrStr .= "$k: $v\r\n";
}

mail('someone-else@example.com', 
     'Testing add_x_header', 
     'This is a test', 
     $hdrStr);


Expected result:
----------------
Mail to look like:
                                                                                                                                                                                                                                                               
To: someone-else@example.com
Subject: Testing add_x_header
X-Foo: bar
From: some-guy@example.com
Priority: Urgent
Date: Sat, 20 Jun 2009 20:37:34 +0300 (IDT)
X-PHP-Originating-Script: 503:mailtest.php

This is a test


Actual result:
--------------
To: someone-else@example.com
Subject: Testing add_x_header
X-Foo: bar
From: some-guy@example.com
Priority: Urgent
Date: Sat, 20 Jun 2009 20:37:34 +0300 (IDT)

X-PHP-Originating-Script: 503:mailtest.php

This is a test



* this is how I receive the e-mail in GMail - perhaps there is some header mangling but you get the point

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-06-20 19:39 UTC] shahar dot e at zend dot com 
I used this patch to fix it (not sure if it's the most suitable way):

--- ext/standard/mail.c.orig    2009-06-20 22:25:10.000000000 +0300
+++ ext/standard/mail.c 2009-06-20 22:29:52.000000000 +0300
@@ -241,7 +241,10 @@
                php_basename(tmp, strlen(tmp), NULL, 0,&f, &f_len TSRMLS_CC);
 
                if (headers != NULL) {
-                       spprintf(&hdr, 0, "%s\r\nX-PHP-Originating-Script: %ld:%s\n", headers, php_getuid(), f);
+                       spprintf(&hdr, 0, "%s%sX-PHP-Originating-Script: %ld:%s\n", 
+                               headers, 
+                               (headers[strlen(headers) - 1] == '\n' ? ""  : "\r\n"),
+                               php_getuid(), f);
                } else {
                        spprintf(&hdr, 0, "X-PHP-Originating-Script: %ld:%s\n", php_getuid(), f);
                }
 [2009-06-21 15:30 UTC] iliaa@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2017-02-01 12:08 UTC] ab@php.net 
Related To: Bug #74005
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 16:01:33 2024 UTC