PHP :: Bug #19307 :: ASCII control char injection "fix" in mail()

Bug #19307

ASCII control char injection "fix" in mail()

Submitted:

2002-09-09 06:48 UTC

Modified:

2003-02-26 14:42 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

mbr at freebsd dot org

Assigned:

Status:

Closed

Package:

Mail related

PHP Version:

4.2.3

OS:

FreeBSD

Private report:

CVE-ID:

None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 11 + 35 = ?
Subscribe to this entry?

[2002-09-09 06:48 UTC] mbr at freebsd dot org

In 4.2.3 the ASCII control char injection in the 5th parameter to sendmail got fixed, that means it got disabled if a user is using the securemode.

Of course this is a important thing to do, but we use the -f parameter of
sendmail, so disable it completly is not an option.

mail($emailto, $titel, $text, "From: $emailfrom\nReply-To: $emailfrom\nContent-Type: text/plain; charset=iso-8859-1\nContent-Transfer-Encoding: 8bit", "-f$emailfrom"); 

So my question is if you could enable just -f mailadress, and verify if it is a mail-
adress and reject all other things.

Martin

Martin Blapp, <mb@imp.ch> <mbr@FreeBSD.org>
------------------------------------------------------------------
ImproWare AG, UNIXSP & ISP, Zurlindenstrasse 29, 4133 Pratteln, CH
Phone: +41 061 826 93 00: +41 61 826 93 01
PGP: <finger -l mbr@freebsd.org>
PGP Fingerprint: B434 53FC C87C FE7B 0A18 B84C 8686 EF22 D300 551E
------------------------------------------------------------------

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-09-10 04:54 UTC] mb at imp dot ch

I live now with this patch ...

--- ext/standard/mail.c.orig    Sat Aug 24 13:38:13 2002
+++ ext/standard/mail.c Tue Sep 10 11:19:33 2002
@@ -72,11 +72,6 @@
        char *to=NULL, *message=NULL, *headers=NULL, *subject=NULL, *extra_cmd=NULL;
        int to_len,message_len,headers_len,subject_len,extra_cmd_len,i;
        
-       if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
-               php_error(E_WARNING, "%s(): SAFE MODE Restriction in effect.  The fifth parameter is disabled in SAFE MODE.", get_active_function_name(TSRMLS_C));
-               RETURN_FALSE;
-       }
-       
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ss",
                                                          &to, &to_len,
                                                          &subject, &subject_len,
@@ -111,6 +106,33 @@
                }
        }
 
+       if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
+               if (extra_cmd > 0) {
+                       if (extra_cmd[0] != '-' || extra_cmd[1] != 'f') {
+                               php_error(E_WARNING,
+                                   "%s(): SAFE MODE Restriction in effect.  SAFE MODE does only allow -f as fifth parameter.",
+                                   get_active_function_name(TSRMLS_C));
+                               RETURN_FALSE;
+                       }
+               }
+               for(;extra_cmd_len;extra_cmd_len--) {
+                       if(!isspace((unsigned char)extra_cmd[extra_cmd_len-1]))break;
+                       to[extra_cmd_len-1]='\0';
+               }
+               for(i=2;extra_cmd[i];i++) {
+                       if (iscntrl((unsigned char)extra_cmd[i])) {
+                               php_error(E_WARNING,
+                                   "%s(): SAFE MODE Restriction in effect. Forbidden control characters found in fifth parameter.",
+                                   get_active_function_name(TSRMLS_C));
+                               RETURN_FALSE;
+                       }
+                       if (isspace((unsigned char)extra_cmd[i - 1]) && extra_cmd[i] == '-') {
+                               php_error(E_WARNING,
+                                   "%s(): SAFE MODE Restriction in effect.  SAFE MODE does only allow -f and only one parameter.",
+                                   get_active_function_name(TSRMLS_C));
+                       }
+               }
+       }
        if(extra_cmd)
                extra_cmd = php_escape_shell_arg(extra_cmd);

[2003-01-17 08:14 UTC] l dot ertl at univie dot ac dot at

I would really appreciate it if this patch could make it into the official PHP distribution. It's not unusual to have safe_mode on and insist that user have to change the Envelope-From when sending mail.

[2003-02-26 14:42 UTC] derick@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

From PHP 5 you will be able to force the extra parameters to be set with the ini setting "mail_force_extra_parameters", see also:
http://news.php.net/article.php?group=php.cvs&article=19210

Derick

[2025-07-30 16:33 UTC] git@php.net

Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/4754d302bffc601729353984e453e88e30421425
Log: Fix #19307: PGO builds of shared ext-intl are broken

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 08:00:01 2025 UTC