|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32311 mb_encode_mimeheader does not properly escape characters
Submitted: 2005-03-15 10:30 UTC Modified: 2005-04-13 10:15 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mortoray at ecircle-ag dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 4.*, 5.* OS: *
Private report: No CVE-ID: None
 [2005-03-15 10:30 UTC] mortoray at ecircle-ag dot com
At least for Q encoding, this function is unsafe and does not encode correctly. Raw characters which appear as RFC2047 sequences are simply left as is.


mb_encode_mimeheader( '=?iso-8859-1?q?this=20is=20some=20text?=' );

returns '=?iso-8859-1?q?this=20is=20some=20text?='

The exact same string, which is obviously not the encoding for the source string.  That is, mb_encode_mimeheader does not do any type of escaping.

That is, the following condition is not always true:
    mb_decode_mimeheader( mb_encode_mimeheader( $text ) ) == $text

Reproduce code:
$text = '=?iso-8859-1?q?this=20is=20some=20text?=';

assert( mb_decode_mimeheader( mb_encode_mimeheader( $text ) ) == $text );

Expected result:
The decode/encode sequence should always return the original text.

Actual result:
Returned result is different than original (that is, the assertion fails).


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-18 09:13 UTC] mortoray at ecircle-ag dot com
I tried the snapshot and got the same results.  What appears to be happening is that the encoders detection of disallowed characters does not include the escape sequences required to do the encoding.

That is, as long as the string is 7-bit ASCII no encoding is ever done, even if a MIME escape occurs in the source string, no encoding will be done.

From the reproduction, it is obviously expected that a MIME escape sequence will also be properly encoded.
 [2005-03-24 00:48 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2005-03-24 01:00 UTC]
The fix won't go in either 4.3.11 or 5.0.4.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Feb 24 12:01:27 2024 UTC