|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22939 imap_header_info crashes a page when the from, cc or bcc field is () or <>
Submitted: 2003-03-28 09:53 UTC Modified: 2003-04-15 14:40 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: simon dot wilmer at milestoneip dot com Assigned:
Status: Closed Package: IMAP related
PHP Version: 4.3.1 OS: Red Hat 8.0
Private report: No CVE-ID:
 [2003-03-28 09:53 UTC] simon dot wilmer at milestoneip dot com

Using PHP 4.3.0 and 4.3.1 with IMAP_2001.RELEASE-CANDIDATE.1 and IMAP_2003.DEV.SNAP-0303181124 and Apache 1.3.27. The imap_header_info function returns an obkect with headers from an email, when trying to read the ->to, ->toaddress, ->cc, ->ccaddress, ->bcc, ->bccaddress values the page will crash if the from, cc or bcc field in the email itself is "()" or "<>" in the headers. Any normal text is fine, but the values above cause the page to crash. 

There is no error message returned unfortunately. Below is some sample code to test this.

Also you will need to set the "from" in an email to () or <> to cause the problem. If anyone thinks it's a good idea I might email as someone could "break" the mailbox of any web based email system by mailing an email with a "broken" from field.

Sample code:
	$connection = imap_open('{localhost:143}INBOX', 'username', 'password');

	$headers = imap_headerinfo($connection, 1);
	echo $headers->subject." <br>";
	$var = $headers->from;
	if (is_array($var))
                //This line is where the script "hangs"
		echo $var[0]->mailbox."@".$var[0]->host;


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-04-04 11:24 UTC] simon dot wilmer at milestoneip dot com

Sorry, the latest CVS seems to suffer from the same problem. 

I decided to have a little play with the code in php_imap.c and managed to work out a way of stopping the problem, by changing a section of code in _php_make_header_object() that assigns the fromaddress and from[] variables. It's around line 3700 depending on the version. The "fix" works by checking the length of the from variable is greater than 0. If it's 0 it just skips assigning the value.

if (en->from) {
   _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC);
   //Check the length of the from field to see if it's 0,
   //if it is 0 then a field like () has been found
   if (_php_imap_address_size(en->from) > 0) {
      if (fulladdress) {
         add_property_string(myzvalue, "fromaddress", fulladdress, 1);

      add_assoc_object(myzvalue, "from", paddress);

The same change can be made to the Cc and Bcc parts to prevent the problem with them. 

I don't know if this might break anything else, but hopefully this will be helpful for investigating further. 

 [2003-04-08 20:45 UTC]
Could you please try the patch at, which hopefuly will solve this problem. Unfortunately, I do not have access to imap enabled server, so I cannnot test it myself.

 [2003-04-15 14:40 UTC] simon dot wilmer at milestoneip dot com

Thanks that sorts it out nicely. 

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Wed Nov 25 12:01:35 2015 UTC