PHP :: Bug #69791 :: Disallow mail header injections by extra headers

Bug #69791

Disallow mail header injections by extra headers

Submitted:

2015-06-10 08:42 UTC

Modified:

2016-10-17 06:40 UTC

Votes:	4
Avg. Score:	4.5 ± 0.9
Reproduced:	3 of 4 (75.0%)
Same Version:	3 (100.0%)
Same OS:	2 (66.7%)

From:

yohgaki@php.net

Assigned:

yohgaki (profile)

Status:

Closed

Package:

Mail related

PHP Version:

master-Git-2015-06-10 (Git)

OS:

any

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	yohgaki@php.net
New email:
PHP Version:		OS:

New Comment:

[2015-06-10 08:42 UTC] yohgaki@php.net

Description:
------------
Current mail() and mb_send_mail() accepts additional headers as single string. Therefore, these functions are weak to mail header injections.

To avoid injections, mail/mb_send_mail should be able to accept additional headers as array that contains each element as single header. RFC 2822 "3.6. Field definitions" restricts certain header only once. 

https://tools.ietf.org/html/rfc2822#section-3.6
e.g. to, from, cc, bcc, subject, etc. 

Except these headers, mail/mb_send_mail should be able to set a headers multiple times.

Example additional headers array

$extra_headers = ["Bcc"=>"php@php.net", "X-Other"=>["One", "Two"]];

Since "To" and "Subject" have dedicated parameters, $extra_headers should not contain "To" and "Subject". 

Related bugs
 - https://bugs.php.net/bug.php?id=15841
 - https://bugs.php.net/bug.php?id=14799
 - https://bugs.php.net/bug.php?id=68776

Patches

Pull Requests

Pull requests:

protect master branches except for the pecl repos against force pushes (karma/4)
Imprement bug69791 - https://bugs.php.net/bug.php?id=69791 (php-src/2060)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-06-10 08:42 UTC] yohgaki@php.net

-Assigned To: +Assigned To: yohgaki

[2015-06-23 20:03 UTC] cmb@php.net

Related To: Bug #68776

[2016-08-06 01:20 UTC] kalle@php.net

I think this is a rather elegant solution, and it can be implemented in a sort of BC compatible way since the $extra_headers argument is expected to be a string. We could then move forward with E_DEPRECATED for sometime in 7.x and later force it to be an array.

+1

[2016-10-17 06:39 UTC] yohgaki@php.net

-Status: Assigned +Status: Closed

[2016-10-17 06:39 UTC] yohgaki@php.net

Implemented in PHP 7.1.

[2016-10-17 06:40 UTC] yohgaki@php.net

Oops. Implemented in PHP 7.2

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC