PHP :: Bug #80216 :: imap_mail_compose() does not validate types/encodings

Bug #80216	imap_mail_compose() does not validate types/encodings
Submitted:	2020-10-10 16:35 UTC	Modified:	2020-10-12 09:13 UTC
From:	cmb@php.net	Assigned:	cmb (profile)
Status:	Closed	Package:	IMAP related
PHP Version:	7.3Git-2020-10-10 (Git)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cmb@php.net
New email:
PHP Version:		OS:

New Comment:

[2020-10-10 16:35 UTC] cmb@php.net

Description:
------------
If imap_mail_compose() is used to create a multipart MIME message
without specifying explicit types for the individual parts, that
leads to a segfault.  Since the type for the first body defaults
to TYPETEXT, I would expect the individual parts to default to
TYPETEXT as well.


Test script:
---------------
<?php
$envelope = [
    'from' => 'me@example.com',
    'to' => 'you@example.com',
    'subject' => 'hello',
];
$body = [[
    'type' => TYPEMULTIPART,
], [
    'contents.data' => 'yada yada',
]];
echo imap_mail_compose($envelope, $body);
?>


Expected result:
----------------
From: me@example.com
Subject: hello
To: you@example.com
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="321-1709-1602347443=:9960"

--321-1709-1602347443=:9960
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII

yada yada
--321-1709-1602347443=:9960--


Actual result:
--------------
segfault

Patches

Pull Requests

Pull requests:

Fix #80216: imap_mail_compose() does not validate types/encodings (php-src/6323)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-10-10 16:35 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

[2020-10-12 09:13 UTC] cmb@php.net

-Summary: imap_mail_compose() segfaults on multipart w/o part type +Summary: imap_mail_compose() does not validate types/encodings

[2020-10-12 09:13 UTC] cmb@php.net

Actually, it is not just about omitting the type; more generally,
if a type < 0 or >= TYPEMAX is passed, we do OOB reads.  And there
are potential issues where TYPEOTHER < type < TYPEMAX, because
these types *may* not have associated type names, in which case we
segfault as well.

The encoding parameter has basically the same issue.

[2020-10-12 12:10 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #80216: imap_mail_compose() does not validate types/encodings
On GitHub:  https://github.com/php/php-src/pull/6323
Patch:      https://github.com/php/php-src/pull/6323.patch

[2020-10-12 14:06 UTC] cmb@php.net

Related To: Bug #48201

[2020-10-12 14:32 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=73e43b6e19720112f0d10bd988d840e7537055a4
Log: Fix #80216: imap_mail_compose() does not validate types/encodings

[2020-10-12 14:32 UTC] cmb@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC