php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22939 imap_header_info crashes a page when the from, cc or bcc field is () or <>
Submitted: 2003-03-28 09:53 UTC Modified: 2003-04-15 14:40 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: simon dot wilmer at milestoneip dot com Assigned:
Status: Closed Package: IMAP related
PHP Version: 4.3.1 OS: Red Hat 8.0
Private report: No CVE-ID:
 [2003-03-28 09:53 UTC] simon dot wilmer at milestoneip dot com
Hi,

Using PHP 4.3.0 and 4.3.1 with IMAP_2001.RELEASE-CANDIDATE.1 and IMAP_2003.DEV.SNAP-0303181124 and Apache 1.3.27. The imap_header_info function returns an obkect with headers from an email, when trying to read the ->to, ->toaddress, ->cc, ->ccaddress, ->bcc, ->bccaddress values the page will crash if the from, cc or bcc field in the email itself is "()" or "<>" in the headers. Any normal text is fine, but the values above cause the page to crash. 

There is no error message returned unfortunately. Below is some sample code to test this.

Also you will need to set the "from" in an email to () or <> to cause the problem. If anyone thinks it's a good idea I might email security@php.net as someone could "break" the mailbox of any web based email system by mailing an email with a "broken" from field.

Sample code:
<?
	$connection = imap_open('{localhost:143}INBOX', 'username', 'password');

	$headers = imap_headerinfo($connection, 1);
	echo $headers->subject." <br>";
		
	$var = $headers->from;
		
	if (is_array($var))
	{
                //This line is where the script "hangs"
		echo $var[0]->mailbox."@".$var[0]->host;
	}
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-04-04 11:24 UTC] simon dot wilmer at milestoneip dot com
Hi,

Sorry, the latest CVS seems to suffer from the same problem. 

I decided to have a little play with the code in php_imap.c and managed to work out a way of stopping the problem, by changing a section of code in _php_make_header_object() that assigns the fromaddress and from[] variables. It's around line 3700 depending on the version. The "fix" works by checking the length of the from variable is greater than 0. If it's 0 it just skips assigning the value.

if (en->from) {
   MAKE_STD_ZVAL(paddress);
   array_init(paddress);
   _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC);
   
   //Check the length of the from field to see if it's 0,
   //if it is 0 then a field like () has been found
   if (_php_imap_address_size(en->from) > 0) {
      if (fulladdress) {
         add_property_string(myzvalue, "fromaddress", fulladdress, 1);
         free(fulladdress);
      }

      add_assoc_object(myzvalue, "from", paddress);
   }
}

The same change can be made to the Cc and Bcc parts to prevent the problem with them. 

I don't know if this might break anything else, but hopefully this will be helpful for investigating further. 

Cheers,
Simon
 [2003-04-08 20:45 UTC] iliaa@php.net
Could you please try the patch at http://bb.prohost.org/imap.txt, which hopefuly will solve this problem. Unfortunately, I do not have access to imap enabled server, so I cannnot test it myself.


 [2003-04-15 14:40 UTC] simon dot wilmer at milestoneip dot com
Hi,

Thanks that sorts it out nicely. 

Cheers,
Simon
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 10:02:10 2014 UTC