php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32311 mb_encode_mimeheader does not properly escape characters
Submitted: 2005-03-15 10:30 UTC Modified: 2005-04-13 10:15 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mortoray at ecircle-ag dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 4.*, 5.* OS: *
Private report: No CVE-ID:
 [2005-03-15 10:30 UTC] mortoray at ecircle-ag dot com
Description:
------------
At least for Q encoding, this function is unsafe and does not encode correctly. Raw characters which appear as RFC2047 sequences are simply left as is.

Ex:

mb_encode_mimeheader( '=?iso-8859-1?q?this=20is=20some=20text?=' );

returns '=?iso-8859-1?q?this=20is=20some=20text?='

The exact same string, which is obviously not the encoding for the source string.  That is, mb_encode_mimeheader does not do any type of escaping.

That is, the following condition is not always true:
    mb_decode_mimeheader( mb_encode_mimeheader( $text ) ) == $text

Reproduce code:
---------------
$text = '=?iso-8859-1?q?this=20is=20some=20text?=';

assert( mb_decode_mimeheader( mb_encode_mimeheader( $text ) ) == $text );

Expected result:
----------------
The decode/encode sequence should always return the original text.


Actual result:
--------------
Returned result is different than original (that is, the assertion fails).


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-18 09:13 UTC] mortoray at ecircle-ag dot com
I tried the snapshot and got the same results.  What appears to be happening is that the encoders detection of disallowed characters does not include the escape sequences required to do the encoding.

That is, as long as the string is 7-bit ASCII no encoding is ever done, even if a MIME escape occurs in the source string, no encoding will be done.

From the reproduction, it is obviously expected that a MIME escape sequence will also be properly encoded.
 [2005-03-24 00:48 UTC] moriyoshi@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2005-03-24 01:00 UTC] moriyoshi@php.net
The fix won't go in either 4.3.11 or 5.0.4.

 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 09:02:23 2014 UTC