php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19307 ASCII control char injection "fix" in mail()
Submitted: 2002-09-09 06:48 UTC Modified: 2003-02-26 14:42 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mbr at freebsd dot org Assigned:
Status: Closed Package: Mail related
PHP Version: 4.2.3 OS: FreeBSD
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mbr at freebsd dot org
New email:
PHP Version: OS:

 

 [2002-09-09 06:48 UTC] mbr at freebsd dot org
In 4.2.3 the ASCII control char injection in the 5th parameter to sendmail got fixed, that means it got disabled if a user is using the securemode.

Of course this is a important thing to do, but we use the -f parameter of
sendmail, so disable it completly is not an option.

mail($emailto, $titel, $text, "From: $emailfrom\nReply-To: $emailfrom\nContent-Type: text/plain; charset=iso-8859-1\nContent-Transfer-Encoding: 8bit", "-f$emailfrom"); 

So my question is if you could enable just -f mailadress, and verify if it is a mail-
adress and reject all other things.

Martin

Martin Blapp, <mb@imp.ch> <mbr@FreeBSD.org>
------------------------------------------------------------------
ImproWare AG, UNIXSP & ISP, Zurlindenstrasse 29, 4133 Pratteln, CH
Phone: +41 061 826 93 00: +41 61 826 93 01
PGP: <finger -l mbr@freebsd.org>
PGP Fingerprint: B434 53FC C87C FE7B 0A18 B84C 8686 EF22 D300 551E
------------------------------------------------------------------

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-10 04:54 UTC] mb at imp dot ch
I live now with this patch ...

--- ext/standard/mail.c.orig    Sat Aug 24 13:38:13 2002
+++ ext/standard/mail.c Tue Sep 10 11:19:33 2002
@@ -72,11 +72,6 @@
        char *to=NULL, *message=NULL, *headers=NULL, *subject=NULL, *extra_cmd=NULL;
        int to_len,message_len,headers_len,subject_len,extra_cmd_len,i;
        
-       if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
-               php_error(E_WARNING, "%s(): SAFE MODE Restriction in effect.  The fifth parameter is disabled in SAFE MODE.", get_active_function_name(TSRMLS_C));
-               RETURN_FALSE;
-       }
-       
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ss",
                                                          &to, &to_len,
                                                          &subject, &subject_len,
@@ -111,6 +106,33 @@
                }
        }
 
+       if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
+               if (extra_cmd > 0) {
+                       if (extra_cmd[0] != '-' || extra_cmd[1] != 'f') {
+                               php_error(E_WARNING,
+                                   "%s(): SAFE MODE Restriction in effect.  SAFE MODE does only allow -f as fifth parameter.",
+                                   get_active_function_name(TSRMLS_C));
+                               RETURN_FALSE;
+                       }
+               }
+               for(;extra_cmd_len;extra_cmd_len--) {
+                       if(!isspace((unsigned char)extra_cmd[extra_cmd_len-1]))break;
+                       to[extra_cmd_len-1]='\0';
+               }
+               for(i=2;extra_cmd[i];i++) {
+                       if (iscntrl((unsigned char)extra_cmd[i])) {
+                               php_error(E_WARNING,
+                                   "%s(): SAFE MODE Restriction in effect. Forbidden control characters found in fifth parameter.",
+                                   get_active_function_name(TSRMLS_C));
+                               RETURN_FALSE;
+                       }
+                       if (isspace((unsigned char)extra_cmd[i - 1]) && extra_cmd[i] == '-') {
+                               php_error(E_WARNING,
+                                   "%s(): SAFE MODE Restriction in effect.  SAFE MODE does only allow -f and only one parameter.",
+                                   get_active_function_name(TSRMLS_C));
+                       }
+               }
+       }
        if(extra_cmd)
                extra_cmd = php_escape_shell_arg(extra_cmd);
 [2003-01-17 08:14 UTC] l dot ertl at univie dot ac dot at
I would really appreciate it if this patch could make it into the official PHP distribution. It's not unusual to have safe_mode on and insist that user have to change the Envelope-From when sending mail.
 [2003-02-26 14:42 UTC] derick@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

From PHP 5 you will be able to force the extra parameters to be set with the ini setting "mail_force_extra_parameters", see also:
http://news.php.net/article.php?group=php.cvs&article=19210

Derick

 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Sep 26 15:03:37 2021 UTC